From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from forward103p.mail.yandex.net (forward103p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:106]) by sourceware.org (Postfix) with ESMTPS id E00BD3858412 for ; Thu, 23 Dec 2021 21:49:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E00BD3858412 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=ya.ru Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=ya.ru Received: from iva5-f582c699c75d.qloud-c.yandex.net (iva5-f582c699c75d.qloud-c.yandex.net [IPv6:2a02:6b8:c0c:5a18:0:640:f582:c699]) by forward103p.mail.yandex.net (Yandex) with ESMTP id 910B35A0D46; Fri, 24 Dec 2021 00:49:54 +0300 (MSK) Received: from iva5-057a0d1fbbd8.qloud-c.yandex.net (iva5-057a0d1fbbd8.qloud-c.yandex.net [2a02:6b8:c0c:7f1c:0:640:57a:d1f]) by iva5-f582c699c75d.qloud-c.yandex.net (mxback/Yandex) with ESMTP id M4HajDuH5q-nsfaw5PE; Fri, 24 Dec 2021 00:49:54 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ya.ru; s=mail; t=1640296194; bh=8fBmO3ow8mq7Qev8MMs2SR5UlV6ox/0RgTvLSZaOLCw=; h=Subject:Cc:From:To:Message-Id:Date; b=TDou/xUQFATvAl5dKS5JDfBIDm0n9x1F8P5wSyxRWSdqjz98i666o+bUNMOZyRge3 JC6korJyWMn5ayaVJgzn9wbOLpg6E2l4PDDVeRzkM6xjp9OTl4qDTcb4igW2wuWe0X /YD5AIwo8OQ8vZowTzTpKeGB8pZ2GVC0Lc32n4hQ= Authentication-Results: iva5-f582c699c75d.qloud-c.yandex.net; dkim=pass header.i=@ya.ru Received: by iva5-057a0d1fbbd8.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id Jvzgl3crEI-nrQSrmC5; Fri, 24 Dec 2021 00:49:53 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) X-Yandex-Fwd: 2 From: Evgeny Vereshchagin Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Subject: OSS-Fuzz issue 42877 Message-Id: <6E8C30A5-04FE-498A-9BA8-5484134B2629@ya.ru> Date: Fri, 24 Dec 2021 00:49:53 +0300 Cc: Mark Wielaard To: elfutils-devel@sourceware.org X-Mailer: Apple Mail (2.3445.104.21) X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, KAM_NUMSUBJECT, RCVD_IN_DNSWL_LOW, SCC_5_SHORT_WORD_LINES, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2021 21:49:59 -0000 Hi Mark, I'm not subscribed to the mailing list so I can't seem to reply to https://sourceware.org/pipermail/elfutils-devel/2021q4/004595.html = directly. All those issues can be reproduced by downloading public testcases and passing them to ./fuzz/dwfl-core. That particular issue can be = reproduced with ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-address = --enable-sanitize-undefined make -j$(nproc) V=3D1 make -C tests fuzz-dwfl-core wget -O CRASH https://oss-fuzz.com/download?testcase_id=3D4756614962348032= LD_LIBRARY_PATH=3D"./libdw;./libelf" ./tests/fuzz-dwfl-core ./CRASH Running: ./CRASH =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D266852=3D=3DERROR: AddressSanitizer: unknown-crash on address = 0x7f492ff9c000 at pc 0x7f4934340b00 bp 0x7ffc09558f30 sp 0x7ffc095586e0 READ of size 64 at 0x7f492ff9c000 thread T0 #0 0x7f4934340aff in __interceptor_memcpy = (/lib64/libasan.so.6+0x39aff) #1 0x7f4933f2aa90 in memcpy /usr/include/bits/string_fortified.h:29 #2 0x7f4933f2aa90 in dwfl_segment_report_module = /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:385 #3 0x7f4933f3a09d in _new.dwfl_core_file_report = /home/vagrant/elfutils/libdwfl/core-file.c:559 #4 0x40194b in LLVMFuzzerTestOneInput = /home/vagrant/elfutils/tests/fuzz-dwfl-core.c:47 #5 0x401411 in main /home/vagrant/elfutils/tests/fuzz-main.c:33 #6 0x7f493310c55f in __libc_start_call_main = (/lib64/libc.so.6+0x2d55f) #7 0x7f493310c60b in __libc_start_main_impl = (/lib64/libc.so.6+0x2d60b) #8 0x401654 in _start = (/home/vagrant/elfutils/tests/fuzz-dwfl-core+0x401654) Address 0x7f492ff9c000 is a wild pointer. SUMMARY: AddressSanitizer: unknown-crash (/lib64/libasan.so.6+0x39aff) = in __interceptor_memcpy Shadow bytes around the buggy address: 0x0fe9a5feb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9a5feb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9a5feb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9a5feb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fe9a5feb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0fe9a5feb800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fe9a5feb810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fe9a5feb820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fe9a5feb830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fe9a5feb840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 0x0fe9a5feb850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D266852=3D=3DABORTING ```=