From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 330E63858400; Sun, 19 Dec 2021 20:41:45 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 330E63858400
From: "evvers at ya dot ru" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug libdw/28715] New: There seems to be an infinite loop in
 dwfl_segment_report_module
Date: Sun, 19 Dec 2021 20:41:44 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: elfutils
X-Bugzilla-Component: libdw
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: evvers at ya dot ru
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
 attachments.created
Message-ID: <bug-28715-10460@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: elfutils-devel@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Elfutils-devel mailing list <elfutils-devel.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/elfutils-devel/>
List-Help: <mailto:elfutils-devel-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Dec 2021 20:41:45 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D28715

            Bug ID: 28715
           Summary: There seems to be an infinite loop in
                    dwfl_segment_report_module
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: evvers at ya dot ru
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 13863
  --> https://sourceware.org/bugzilla/attachment.cgi?id=3D13863&action=3Ded=
it
File causing an infinite loop

It was reported today in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3D42645 . It can be
reproduced with `./src/stack`:
```
autoreconf -i -f
./configure --enable-maintainer-mode
make -j$(nproc) V=3D1
LD_LIBRARY_PATH=3D"./libdw;./libelf" ./src/stack --core ../oss-fuzz-42645
```
According to eu-stack it's in dwfl_segment_report_module
```
PID 212089 - process
TID 212089:
#0  0x00007f6af3447cd5 dwfl_segment_report_module
#1  0x00007f6af344bf88 dwfl_core_file_report@@ELFUTILS_0.158
#2  0x0000000000402ec7 parse_opt
#3  0x00007f6af30da472 argp_parse
#4  0x00000000004024eb main
#5  0x00007f6af2fe9560 __libc_start_call_main
#6  0x00007f6af2fe960c __libc_start_main@@GLIBC_2.34
#7  0x0000000000402725 _start
```
Below is the backtrace OSS-Fuzz attached to the issue (with line numbers):
```
        ALARM: working on the last Unit for 61 seconds
       and the timeout value is 60 (use -timeout=3DN to change)
=3D=3D822=3D=3D ERROR: libFuzzer: timeout after 61 seconds
    #0 0x4b22d4 in __sanitizer_print_stack_trace
/src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
    #1 0x457438 in fuzzer::PrintStackTrace() cxa_noexception.cpp:0
    #2 0x43c329 in fuzzer::Fuzzer::AlarmCallback() cxa_noexception.cpp:0
    #3 0x7f1be648c3bf in libpthread.so.0
    #4 0x4aea5b in atomic_exchange<__sanitizer::atomic_uint32_t>
/src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_atomic_clang.h=
:67:7
    #5 0x4aea5b in acquire
/src/llvm-project/compiler-rt/lib/ubsan/ubsan_value.h:60:21
    #6 0x4aea5b in handleNegateOverflowImpl(__ubsan::OverflowData*, unsigned
long, __ubsan::ReportOptions)
/src/llvm-project/compiler-rt/lib/ubsan/ubsan_handlers.cpp:251:34
    #7 0x4aea2d in __ubsan_handle_negate_overflow
/src/llvm-project/compiler-rt/lib/ubsan/ubsan_handlers.cpp:277:3
    #8 0x517854 in dwfl_segment_report_module
/src/elfutils/libdwfl/dwfl_segment_report_module.c:581:58
    #9 0x4b8937 in dwfl_core_file_report
/src/elfutils/libdwfl/core-file.c:559:17
    #10 0x4b388e in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6
    #11 0x43d953 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) cxa_noexception.cpp:0
    #12 0x429592 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsign=
ed
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x42edec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned ch=
ar
const*, unsigned long)) cxa_noexception.cpp:0
    #14 0x457bf2 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7f1be62800b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
    #16 0x407d4d in _start
```

--=20
You are receiving this mail because:
You are on the CC list for the bug.=