From: "evvers at ya dot ru" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug libelf/29000] New: Conditional jump or move depends on uninitialised value in elf_compress_gnu
Date: Fri, 25 Mar 2022 00:09:31 +0000 [thread overview]
Message-ID: <bug-29000-10460@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=29000
Bug ID: 29000
Summary: Conditional jump or move depends on uninitialised
value in elf_compress_gnu
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: evvers at ya dot ru
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 14035
--> https://sourceware.org/bugzilla/attachment.cgi?id=14035&action=edit
file triggering valgrind warning
It was found with MSan on OSS-Fuzz but can be reproduced with Valgrind by
applying https://sourceware.org/pipermail/elfutils-devel/2022q1/004767.html and
running the following commands:
```
autoreconf -i -f
./configure --enable-maintainer-mode
make V=1 -j$(nproc)
make -C tests fuzz-libelf V=1
LD_LIBRARY_PATH="$(pwd)/libelf;$(pwd)/libdw" DEBUGINFOD_URLS= valgrind
--track-origins=yes ./tests/fuzz-libelf
clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992
```
```
unning: ../clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992
==65519== Conditional jump or move depends on uninitialised value(s)
==65519== at 0x4868734: elf_compress_gnu (elf_compress_gnu.c:155)
==65519== by 0x401553: fuzz_logic_one (fuzz-libelf.c:41)
==65519== by 0x4016D9: LLVMFuzzerTestOneInput (fuzz-libelf.c:82)
==65519== by 0x4012B8: main (fuzz-main.c:33)
==65519== Uninitialised value was created by a heap allocation
==65519== at 0x484486F: malloc (vg_replace_malloc.c:381)
==65519== by 0x48606C6: convert_data (elf_getdata.c:168)
==65519== by 0x48606C6: __libelf_set_data_list_rdlock (elf_getdata.c:457)
==65519== by 0x48608C7: __elf_getdata_rdlock (elf_getdata.c:564)
==65519== by 0x486870A: elf_compress_gnu (elf_compress_gnu.c:150)
==65519== by 0x401553: fuzz_logic_one (fuzz-libelf.c:41)
==65519== by 0x4016D9: LLVMFuzzerTestOneInput (fuzz-libelf.c:82)
==65519== by 0x4012B8: main (fuzz-main.c:33)
==65519==
Done: ../clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992: (608
bytes)
==65519==
```
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2022-03-25 0:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-25 0:09 evvers at ya dot ru [this message]
2022-03-25 11:17 ` [Bug libelf/29000] " evvers at ya dot ru
2022-03-25 13:01 ` mark at klomp dot org
2022-03-29 22:35 ` mark at klomp dot org
2022-03-30 10:06 ` evvers at ya dot ru
2022-03-30 14:48 ` mark at klomp dot org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-29000-10460@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=elfutils-devel@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).