[Bug libdw/28720] New: UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[Bug libdw/28720] New: UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

            Bug ID: 28720
           Summary: UBSan: member access within misaligned address
                    0x7f6e8d80f142 for type 'struct Elf32_Phdr', which
                    requires 4 byte alignment
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libdw
          Assignee: unassigned at sourceware dot org
          Reporter: evvers at ya dot ru
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 13872
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13872&action=edit
File triggering misaligned access

While I was testing
https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html I passed
FUZZ_TIME=3600 to the test to run it for an hour and in the process it ran into
another misaligned access. Just to make sure it isn't
https://sourceware.org/bugzilla/show_bug.cgi?id=28685 I pulled the master
branch with the "fuzz" branch included. It can be reproduced with
`./src/stack`:
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-undefined
make  -j$(nproc) V=1
UBSAN_OPTIONS=print_stacktrace=1:print_summary=1
LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
../SIGABRT.PC.7fffe516d84c.STACK.d7ffe76d7.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
gelf_xlate.h:42:1: runtime error: member access within misaligned address
0x7f3827783142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
0x7f3827783142: note: pointer points here
 00 00  00 10 00 00 00 00 00 c5  00 10 00 00 00 00 00 00  00 10 00 00 00 00 00
00  01 00 00 00 06 15
              ^
    #0 0x7f38295f992c in Elf32_cvt_Phdr
/home/vagrant/elfutils/libelf/gelf_xlate.h:42
    #1 0x7f38295f8363 in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f382952a821 in dwfl_link_map_report
/home/vagrant/elfutils/libdwfl/link_map.c:925
    #3 0x7f382952de80 in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:548
    #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f382878b471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f382869a55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f382869a60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:42:1 in
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #1 from Evgeny Vereshchagin <evvers at ya dot ru> ---
FWIW There are at least 4 uniq crashes honggfuzz has found related to either
"member access within misaligned address" or "load of misaligned address":

gelf_xlate.h:42:1: runtime error: member access within misaligned address

link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde for
type 'Elf64_Addr'

link_map.c:283:15: runtime error: load of misaligned address

gelf_xlate.h:48:1: runtime error: member access within misaligned address

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

Mark Wielaard <mark at klomp dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED
           Assignee|unassigned at sourceware dot org   |mark at klomp dot org
   Last reconfirmed|                            |2021-12-24
                 CC|                            |mark at klomp dot org

--- Comment #2 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #1)
> FWIW There are at least 4 uniq crashes honggfuzz has found related to either
> "member access within misaligned address" or "load of misaligned address":
> 
> gelf_xlate.h:42:1: runtime error: member access within misaligned address
> 
> link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde
> for type 'Elf64_Addr'
> 
> link_map.c:283:15: runtime error: load of misaligned address
> 
> gelf_xlate.h:48:1: runtime error: member access within misaligned address

Interesting. I did run afl for some time (more than a day) and it found some
more issues, but none of these (yet?). I'll try honggfuzz in the future to see
if it can find some more.

Without reproducers for all of the above I don't know if I caught them all, but
I think the following two proposed patches (also on my fuzz branch) should fix
them:

https://sourceware.org/pipermail/elfutils-devel/2021q4/004598.html
https://sourceware.org/pipermail/elfutils-devel/2021q4/004599.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #3 from Evgeny Vereshchagin <evvers at ya dot ru> ---
As far as I can see with the fuzz branch rebased on top on my fuzzing branch
almost all the issues including
https://sourceware.org/pipermail/elfutils-devel/2021q4/004596.html are gone.
Thanks! I'll attach files triggering the remaining issues shortly:
```
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
link_map.c:1040:20: runtime error: variable length array bound evaluates to
non-positive value 0
    #0 0x7fbc58f053e9 in dwfl_link_map_report
/home/vagrant/elfutils/libdwfl/link_map.c:1040
    #1 0x7fbc59023fa7 in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:552
    #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
    #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in
```
```
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
gelf_xlate.h:48:1: runtime error: member access within misaligned address
0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
0x7f0817719077: note: pointer points here
 00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00 00
01 01 00 01  00 08 00
             ^
    #0 0x7f0822689542 in Elf32_cvt_Dyn
/home/vagrant/elfutils/libelf/gelf_xlate.h:48
    #1 0x7f082268835e in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f0819563307 in dwfl_segment_report_module
/home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
    #3 0x7f081956c06c in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:563
    #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #4 from Evgeny Vereshchagin <evvers at ya dot ru> ---
Created attachment 13874
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13874&action=edit
File triggering "variable length array bound evaluates to non-positive value 0"

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #5 from Evgeny Vereshchagin <evvers at ya dot ru> ---
Created attachment 13875
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13875&action=edit
File triggering "member access within misaligned address"

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #6 from Evgeny Vereshchagin <evvers at ya dot ru> ---
(In reply to Mark Wielaard from comment #2)
> Interesting. I did run afl for some time (more than a day) and it found some
> more issues, but none of these (yet?). I'll try honggfuzz in the future to
> see if it can find some more.
> 

FWIW https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html should
make it much more easier to use honggfuzz. It's safe to say that it was
battle-tested in the sense that it's compatible with gcc, clang, ASan, UBsan
and so on. Something like `make check V=1 VERBOSE=1 TESTS=run-fuzz-dwfl-core.sh
FUZZ_TIME=3600` allows running the fuzz target for an hour with honggfuzz (if
elfutils is built with `--enable-honggfuzz`)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #7 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #5)
> Created attachment 13875 [details]
> File triggering "member access within misaligned address"

Thanks. afl++ also found this (but only after 8 days...)
I pushed:

commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Dec 24 02:01:32 2021 +0100

    libdwfl: Calculate addr to read by hand in link_map.c read_addrs.

    The gcc undefined sanitizer doesn't like the trick we use to calculate
    the (possibly) unaligned addresses to read. So calculate them by hand
    as unsigned char pointers.

    https://sourceware.org/bugzilla/show_bug.cgi?id=28720

    Signed-off-by: Mark Wielaard <mark@klomp.org>

Which should this particular issue.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #8 from Evgeny Vereshchagin <evvers at ya dot ru> ---
(In reply to Mark Wielaard from comment #7)
> commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Fri Dec 24 02:01:32 2021 +0100
> 
>     libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
>     
>     The gcc undefined sanitizer doesn't like the trick we use to calculate
>     the (possibly) unaligned addresses to read. So calculate them by hand
>     as unsigned char pointers.
>     
>     https://sourceware.org/bugzilla/show_bug.cgi?id=28720
>     
>     Signed-off-by: Mark Wielaard <mark@klomp.org>
> 
> Which should this particular issue.


I'm not sure but it seems it can still be triggered with that commit applied:
```
$ git log --oneline -5
9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate addr
to read by hand in link_map.c read_addrs.
5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least
minread
4fdd8588 libdwfl: Always clean up build_id.memory
8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module

$ autoreconf -i -f
$ ./configure --enable-maintainer-mode --enable-sanitize-undefined
$ make -j$(nproc) V=1

$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
./attachment.cgi\?id\=13875
gelf_xlate.h:48:1: runtime error: member access within misaligned address
0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
0x7f5cd5612077: note: pointer points here
 00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00 00
01 01 00 01  00 08 00
             ^
    #0 0x7f5cd74851fc in Elf32_cvt_Dyn
/home/vagrant/elfutils/libelf/gelf_xlate.h:48
    #1 0x7f5cd7484363 in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f5cd73b4fbf in dwfl_segment_report_module
/home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
    #3 0x7f5cd73b9fc9 in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:563
    #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f5cd6617471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f5cd652655f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f5cd652660b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #9 from Evgeny Vereshchagin <evvers at ya dot ru> ---
According to OSS-Fuzz looks like that commit triggered
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also
reported in
https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html):
```
$ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360'
$ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 (pc
0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0)
==153072==The signal is caused by a READ memory access.
    #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73
    #1 0x7fbe89eb2fc7 in read_addrs
/home/vagrant/elfutils/libdwfl/link_map.c:288
    #2 0x7fbe89eb2fc7 in report_r_debug
/home/vagrant/elfutils/libdwfl/link_map.c:341
    #3 0x7fbe89eb2fc7 in dwfl_link_map_report
/home/vagrant/elfutils/libdwfl/link_map.c:1117
    #4 0x7fbe89eb7103 in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:552
    #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695
    #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64
==153072==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #10 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #8)
> (In reply to Mark Wielaard from comment #7)
> > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
> > Author: Mark Wielaard <mark@klomp.org>
> > Date:   Fri Dec 24 02:01:32 2021 +0100
> > 
> >     libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
> >     
> >     The gcc undefined sanitizer doesn't like the trick we use to calculate
> >     the (possibly) unaligned addresses to read. So calculate them by hand
> >     as unsigned char pointers.
> >     
> >     https://sourceware.org/bugzilla/show_bug.cgi?id=28720
> >     
> >     Signed-off-by: Mark Wielaard <mark@klomp.org>
> > 
> > Which should this particular issue.
> 
> 
> I'm not sure but it seems it can still be triggered with that commit applied:
> ```
> $ git log --oneline -5
> 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate
> addr to read by hand in link_map.c read_addrs.
> 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
> 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least
> minread
> 4fdd8588 libdwfl: Always clean up build_id.memory
> 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module
> 
> $ autoreconf -i -f
> $ ./configure --enable-maintainer-mode --enable-sanitize-undefined
> $ make -j$(nproc) V=1
> 
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> ./attachment.cgi\?id\=13875
> gelf_xlate.h:48:1: runtime error: member access within misaligned address
> 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment

That is a different issue than the one reported in comment #5.
This bug might be split up for the different issues found.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #11 from Evgeny Vereshchagin <evvers at ya dot ru> ---
(In reply to Mark Wielaard from comment #10)
> That is a different issue than the one reported in comment #5.
> This bug might be split up for the different issues found.

Sorry. I seem to have overlooked that. I think this issue can be closed then.
In the meantime, I've just opened https://github.com/google/oss-fuzz/pull/7092
(which should help to start catching issues like that on OSS-Fuzz). It'll sort
out duplicates automatically so I'd just wait for it to report what's left.
Thanks!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

Evgeny Vereshchagin <evvers at ya dot ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #12 from Evgeny Vereshchagin <evvers at ya dot ru> ---
Forgot to close the issue.

As far as I can see there are two issues left. They were reported in
https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html and
https://sourceware.org/pipermail/elfutils-devel/2022q1/004629.html

Thanks!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #13 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #9)
> According to OSS-Fuzz looks like that commit triggered
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also
> reported in
> https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html):
> ```
> $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360'
> $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0
> (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0)
> ==153072==The signal is caused by a READ memory access.
>     #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73
>     #1 0x7fbe89eb2fc7 in read_addrs
> /home/vagrant/elfutils/libdwfl/link_map.c:288
>     #2 0x7fbe89eb2fc7 in report_r_debug
> /home/vagrant/elfutils/libdwfl/link_map.c:341
>     #3 0x7fbe89eb2fc7 in dwfl_link_map_report
> /home/vagrant/elfutils/libdwfl/link_map.c:1117
>     #4 0x7fbe89eb7103 in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:552
>     #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695
>     #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64
> ==153072==ABORTING
> ```

Interesting, that looks like an incomplete overflow check in read_addrs.
Proposed fix:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004633.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #14 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #3)
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax,
> %ebp.fuzz
> gelf_xlate.h:48:1: runtime error: member access within misaligned address
> 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
> 0x7f0817719077: note: pointer points here
>  00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00
> 00 01 01 00 01  00 08 00
>              ^
>     #0 0x7f0822689542 in Elf32_cvt_Dyn
> /home/vagrant/elfutils/libelf/gelf_xlate.h:48
>     #1 0x7f082268835e in elf32_xlatetom
> /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
>     #2 0x7f0819563307 in dwfl_segment_report_module
> /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
>     #3 0x7f081956c06c in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:563
>     #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
>     #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)
> 
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
> ```

Proposed patch for this issue:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004635.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #15 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #3)
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax,
> %ebp.fuzz
> link_map.c:1040:20: runtime error: variable length array bound evaluates to
> non-positive value 0
>     #0 0x7fbc58f053e9 in dwfl_link_map_report
> /home/vagrant/elfutils/libdwfl/link_map.c:1040
>     #1 0x7fbc59023fa7 in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:552
>     #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
>     #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)
> 
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in

Proposed fix:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #16 from Evgeny Vereshchagin <evvers at ya dot ru> ---
I tested both patches with CFLite, AFL++ and hongfuzz for about ten minutes
under ASan/UBSan with the reproducer testcases included in the "seed" corpus. I
also unleashed the latest corpus provided by OSS-Fuzz on the fuzzer and it
found nothing. Looks like both issues are gone for good. Thanks!

FWIW I recently posted patch v4 where AFL/AFL++ is supported as well. I think
with both `--enable-honggfuzz` and `--enable-afl` it should be possible to
integrate it into buildboot smoothly. The patch can be found at
https://patchwork.sourceware.org/project/elfutils/patch/20211226160323.2450838-1-evvers@ya.ru/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[evvers at ya dot ru]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #17 from Evgeny Vereshchagin <evvers at ya dot ru> ---
FWIW I tested
https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html as well with
gcc (since it isn't reproducible with clang), honggfuzz and the latest OSS-Fuzz
corpus. That issue is gone too. Thanks!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

[mark at klomp dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #18 from Mark Wielaard <mark at klomp dot org> ---
Thanks for testing, I also ran afl++ locally for a couple of hours and things
look fine. So I pushed all 3 patches.

It would indeed be good to integrate fuzz testing, I'll take a closer look at
your patch next week. Thanks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.