From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id ABFBE385840F for ; Thu, 31 Mar 2022 08:50:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org ABFBE385840F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from reform (deer0x11.wildebeest.org [172.31.17.147]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 85CF8304319C; Thu, 31 Mar 2022 10:50:46 +0200 (CEST) Received: by reform (Postfix, from userid 1000) id 0953F2E80786; Thu, 31 Mar 2022 10:50:45 +0200 (CEST) Date: Thu, 31 Mar 2022 10:50:45 +0200 From: Mark Wielaard To: oss-fuzz@monorail-prod.appspotmail.com Cc: elfutils-devel@sourceware.org, ClusterFuzz-External via monorail Subject: Re: Issue 46192 in oss-fuzz: elfutils:fuzz-libdwfl: Out-of-memory in fuzz-libdwfl Message-ID: References: <0=71cc74a7ba1af446b7ed6b9a08b414d9=93889cd702a79ee9e1b81bb522b9d1dc=oss-fuzz@monorail-prod.appspotmail.com> <00000000000096242205db7701aa@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00000000000096242205db7701aa@google.com> X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2022 08:50:51 -0000 Hi, On Wed, Mar 30, 2022 at 03:24:17PM -0700, ClusterFuzz-External via monorail via Elfutils-devel wrote: > New issue 46192 by ClusterFuzz-External: elfutils:fuzz-libdwfl: Out-of-memory in fuzz-libdwfl > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46192 > > Detailed Report: https://oss-fuzz.com/testcase?key=5364854623436800 > > Project: elfutils > Fuzzing Engine: libFuzzer > Fuzz Target: fuzz-libdwfl > Job Type: libfuzzer_asan_elfutils > Platform Id: linux > > Crash Type: Out-of-memory (exceeds 2560 MB) > Crash Address: > Crash State: > fuzz-libdwfl > > Sanitizer: address (ASAN) > > Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_elfutils&range=202203161800:202203170000 > > Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5364854623436800 The issue with this testcase is that it has hundreds of (bad) PT_NOTE segements. We are trying to find the build-id. For each (bogus) PT_NOTE segement we call elf_getdata_rawchunk. There is no way to get rid of a raw data chunk, except closing the Elf. So they just accumulate till we run out of memory. I don't know of a good interface to dispose of raw data chunks. But we could mitigate this a bit by rejecting zero sized rawchunks and searching the rawchunks to see if we already have created a chunk for the requested offset, size and type. We currently don't keep track of the original offset, so that would need to be tracked then. Cheers, Mark