OSS-Fuzz issue 42877

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* OSS-Fuzz issue 42877
@ 2021-12-23 21:49 Evgeny Vereshchagin
  2021-12-24  1:23 ` Mark Wielaard
  0 siblings, 1 reply; 2+ messages in thread
From: Evgeny Vereshchagin @ 2021-12-23 21:49 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

Hi Mark,

I'm not subscribed to the mailing list so I can't seem to reply to
https://sourceware.org/pipermail/elfutils-devel/2021q4/004595.html directly.
All those issues can be reproduced by downloading public testcases and
passing them to ./fuzz/dwfl-core. That particular issue can be reproduced with
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-address --enable-sanitize-undefined
make -j$(nproc) V=1
make -C tests fuzz-dwfl-core

wget -O CRASH https://oss-fuzz.com/download?testcase_id=4756614962348032

LD_LIBRARY_PATH="./libdw;./libelf" ./tests/fuzz-dwfl-core ./CRASH
Running: ./CRASH
=================================================================
==266852==ERROR: AddressSanitizer: unknown-crash on address 0x7f492ff9c000 at pc 0x7f4934340b00 bp 0x7ffc09558f30 sp 0x7ffc095586e0
READ of size 64 at 0x7f492ff9c000 thread T0
    #0 0x7f4934340aff in __interceptor_memcpy (/lib64/libasan.so.6+0x39aff)
    #1 0x7f4933f2aa90 in memcpy /usr/include/bits/string_fortified.h:29
    #2 0x7f4933f2aa90 in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:385
    #3 0x7f4933f3a09d in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:559
    #4 0x40194b in LLVMFuzzerTestOneInput /home/vagrant/elfutils/tests/fuzz-dwfl-core.c:47
    #5 0x401411 in main /home/vagrant/elfutils/tests/fuzz-main.c:33
    #6 0x7f493310c55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #7 0x7f493310c60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #8 0x401654 in _start (/home/vagrant/elfutils/tests/fuzz-dwfl-core+0x401654)

Address 0x7f492ff9c000 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash (/lib64/libasan.so.6+0x39aff) in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0fe9a5feb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9a5feb800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==266852==ABORTING
```

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: OSS-Fuzz issue 42877
  2021-12-23 21:49 OSS-Fuzz issue 42877 Evgeny Vereshchagin
@ 2021-12-24  1:23 ` Mark Wielaard
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2021-12-24  1:23 UTC (permalink / raw)
  To: Evgeny Vereshchagin; +Cc: elfutils-devel

Hi Evgeny,

On Fri, Dec 24, 2021 at 12:49:53AM +0300, Evgeny Vereshchagin wrote:
> All those issues can be reproduced by downloading public testcases and
> passing them to ./fuzz/dwfl-core. That particular issue can be reproduced with
> ```
> autoreconf -i -f
> ./configure --enable-maintainer-mode --enable-sanitize-address --enable-sanitize-undefined
> make -j$(nproc) V=1
> make -C tests fuzz-dwfl-core
> 
> wget -O CRASH https://oss-fuzz.com/download?testcase_id=4756614962348032
> 
> LD_LIBRARY_PATH="./libdw;./libelf" ./tests/fuzz-dwfl-core ./CRASH
> Running: ./CRASH
> =================================================================
> ==266852==ERROR: AddressSanitizer: unknown-crash on address 0x7f492ff9c000 at pc 0x7f4934340b00 bp 0x7ffc09558f30 sp 0x7ffc095586e0
> READ of size 64 at 0x7f492ff9c000 thread T0
>     #0 0x7f4934340aff in __interceptor_memcpy (/lib64/libasan.so.6+0x39aff)
>     #1 0x7f4933f2aa90 in memcpy /usr/include/bits/string_fortified.h:29
>     #2 0x7f4933f2aa90 in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:385

Thanks that is useful. I think this issue has the same root cause as
an issue found by afl-fuzz for which I posted a patch here:
https://sourceware.org/pipermail/elfutils-devel/2021q4/004597.html

Cheers,

Mark


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-12-24  1:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-23 21:49 OSS-Fuzz issue 42877 Evgeny Vereshchagin
2021-12-24  1:23 ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).