From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id A4DF33858C60; Mon, 6 Dec 2021 13:16:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A4DF33858C60 From: "evvers at ya dot ru" To: elfutils-devel@sourceware.org Subject: [Bug libdw/28660] New: ASan seems to complain about a "heap-buffer-overflow" Date: Mon, 06 Dec 2021 13:16:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libdw X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: evvers at ya dot ru X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2021 13:16:03 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28660 Bug ID: 28660 Summary: ASan seems to complain about a "heap-buffer-overflow" Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: libdw Assignee: unassigned at sourceware dot org Reporter: evvers at ya dot ru CC: elfutils-devel at sourceware dot org Target Milestone: --- Created attachment 13826 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D13826&action=3Ded= it File triggering a heap-buffer-overflow One of systemd fuzz targets triggered a "heap-buffer-overflow". It can be reproduced by building the master branch of the elfutils repository with AS= an and passing the attachment to `./src/stack`: ``` $ git describe elfutils-0.186-7-g99782bd2 autoreconf -i -f ./configure --enable-maintainer-mode CFLAGS=3D'-g -O1 -fno-omit-frame-point= er -fsanitize=3Daddress' CXXFLAGS=3D'-g -O1 -fno-omit-frame-pointer -fsanitize=3Daddress' ASAN_OPTIONS=3Ddetect_leaks=3D0 make -j$(nproc) V=3D1 LD_PRELOAD=3D"/lib64/libasan.so.6 ./libelf/libelf.so ./libdw/libdw.so" UBSAN_OPTIONS=3Dprint_stacktrace=3D1:print_summary=3D1 ./src/stack --core ../oss-fuzz-41566 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D85112=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b70 at pc 0x7f96b3109a31 bp 0x7ffebaf7f470 sp 0x7ffebaf7f468 READ of size 4 at 0x602000001b70 thread T0 #0 0x7f96b3109a30 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:904 #1 0x7f96b310e877 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:548 #2 0x4037b8 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #3 0x7f96b2d05f81 in __argp_parse (/lib64/libc.so.6+0x10cf81) #4 0x404b7d in main /home/vagrant/elfutils/src/stack.c:695 #5 0x7f96b2c20b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #6 0x40256d in _start (/home/vagrant/elfutils/src/stack+0x40256d) 0x602000001b71 is located 0 bytes to the right of 1-byte region [0x602000001b70,0x602000001b71) allocated by thread T0 here: #0 0x7f96b32b693f in __interceptor_malloc (/lib64/libasan.so.6+0xae93f) #1 0x7f96b31096c4 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:879 #2 0x7f96b310e877 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:548 #3 0x4037b8 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #4 0x7f96b2d05f81 in __argp_parse (/lib64/libc.so.6+0x10cf81) #5 0x404b7d in main /home/vagrant/elfutils/src/stack.c:695 #6 0x7f96b2c20b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/elfutils/libdwfl/link_map.c:904 in dwfl_link_map_report Shadow bytes around the buggy address: 0x0c047fff8310: fa fa 00 03 fa fa 00 04 fa fa fd fa fa fa fd fa 0x0c047fff8320: fa fa 00 03 fa fa 00 04 fa fa fd fa fa fa fd fa 0x0c047fff8330: fa fa 00 03 fa fa 00 04 fa fa fd fa fa fa fd fa 0x0c047fff8340: fa fa 00 03 fa fa 00 04 fa fa fd fa fa fa fd fa 0x0c047fff8350: fa fa 00 03 fa fa 00 04 fa fa fd fa fa fa fd fa =3D>0x0c047fff8360: fa fa 00 03 fa fa 00 04 fa fa 00 04 fa fa[01]fa 0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D85112=3D=3DABORTING ``` It was also reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3D41566 --=20 You are receiving this mail because: You are on the CC list for the bug.=