* MemorySanitizer: Use-of-uninitialized-value in check_section
@ 2023-02-19 18:34 Evgeny Vereshchagin
2023-02-20 11:06 ` Mark Wielaard
0 siblings, 1 reply; 2+ messages in thread
From: Evgeny Vereshchagin @ 2023-02-19 18:34 UTC (permalink / raw)
To: elfutils-devel
Hi,
OSS-Fuzz found https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134
introduced in fda09f5f188fb173b2123815be71ca4647a8adfb but for some
reason it wasn't delivered to the mailing list. I opened
https://github.com/google/oss-fuzz/issues/9755 to figure out what went
wrong there but until then below is the full backtrace:
```
==2272==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5fb3c7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:265:7
#1 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14
#2 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9
#3 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13
#4 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16
#5 0x53c5b9 in dwfl_module_getdwarf
/src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3
#6 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3
#7 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#8 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#9 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#10 0x458232 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7fe0978dd0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#12 0x41f61d in _start
Uninitialized value was created by a heap allocation
#0 0x4e2310 in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:895:3
#1 0x6b9935 in convert_data /src/elfutils/libelf/elf_getdata.c:166:24
#2 0x6b9935 in __libelf_set_data_list_rdlock
/src/elfutils/libelf/elf_getdata.c:455:7
#3 0x6ba571 in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:562:5
#4 0x6ba6cd in elf_getdata /src/elfutils/libelf/elf_getdata.c:580:12
#5 0x5faec7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:246:20
#6 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14
#7 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9
#8 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13
#9 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16
#10 0x53c5b9 in dwfl_module_getdwarf
/src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3
#11 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3
#12 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#13 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#15 0x458232 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7fe0978dd0b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
SUMMARY: MemorySanitizer: use-of-uninitialized-value
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-libdwfl+0x5fb3c7)
```
It can be reproduced with `readelf` and `valgrind`
```
wget -O OSS-FUZZ-56134
'https://oss-fuzz.com/download?testcase_id=6724057145147392'
LD_LIBRARY_PATH="$(pwd)/libdw:$(pwd)/libelf" DEBUGINFOD_URLS= valgrind
--track-origins=yes ./src/readelf -w OSS-FUZZ-56134
==1373524== Memcheck, a memory error detector
==1373524== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==1373524== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==1373524== Command: ./src/readelf -w OSS-FUZZ-56134
==1373524==
==1373524== Conditional jump or move depends on uninitialised value(s)
==1373524== at 0x4887EAB: check_section (dwarf_begin_elf.c:265)
==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444)
==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595)
==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341)
==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391)
==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446)
==1373524== by 0x411109: print_debug (readelf.c:11467)
==1373524== by 0x413A31: process_elf_file (readelf.c:1062)
==1373524== by 0x4148BC: process_dwflmod (readelf.c:818)
==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86)
==1373524== by 0x40954A: process_file (readelf.c:926)
==1373524== by 0x404D0E: main (readelf.c:395)
==1373524== Uninitialised value was created by a heap allocation
==1373524== at 0x484586F: malloc (vg_replace_malloc.c:381)
==1373524== by 0x48FEA25: convert_data (elf_getdata.c:166)
==1373524== by 0x48FEA25: __libelf_set_data_list_rdlock (elf_getdata.c:455)
==1373524== by 0x48FEC17: __elf_getdata_rdlock (elf_getdata.c:562)
==1373524== by 0x4887E6F: check_section (dwarf_begin_elf.c:246)
==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444)
==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595)
==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341)
==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391)
==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446)
==1373524== by 0x411109: print_debug (readelf.c:11467)
==1373524== by 0x413A31: process_elf_file (readelf.c:1062)
==1373524== by 0x4148BC: process_dwflmod (readelf.c:818)
==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86)
==1373524== by 0x40954A: process_file (readelf.c:926)
==1373524==
./src/readelf: cannot get debug context descriptor: No DWARF information found
```
Thanks,
Evgeny Vereshchagin
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: MemorySanitizer: Use-of-uninitialized-value in check_section
2023-02-19 18:34 MemorySanitizer: Use-of-uninitialized-value in check_section Evgeny Vereshchagin
@ 2023-02-20 11:06 ` Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2023-02-20 11:06 UTC (permalink / raw)
To: Evgeny Vereshchagin, elfutils-devel
Hi Evgeny,
On Sun, 2023-02-19 at 21:34 +0300, Evgeny Vereshchagin via Elfutils-
devel wrote:
> OSS-Fuzz found https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134
> introduced in fda09f5f188fb173b2123815be71ca4647a8adfb but for some
> reason it wasn't delivered to the mailing list. I opened
> https://github.com/google/oss-fuzz/issues/9755 to figure out what went
> wrong there
The email was slightly delayed because of a spam/virus scan issues:
https://inbox.sourceware.org/overseers/abee4643c0e17900e094bf87460b99e628016fc5.camel@klomp.org/T/#u
But it reached the list eventually. Although it isn't in the inbox
because it contains HTML, it is in the mailman archive now (stripped of
the HTML):
https://sourceware.org/pipermail/elfutils-devel/2023q1/005946.html
The backtraces and valgrind reports are very helpful.
It isn't really introduced by commit
fda09f5f188fb173b2123815be71ca4647a8adfb "libdw: check that DWARF
strings are null-terminated" but that commit exposes an issue in
elf_getdata.c convert_data that probably existed for some time because
it starts checking data from the end of the section (where there is
garbage). It is probably in the "conversion function" not converting
extra garbage data at the end. The issue is trying to get a big endian
ELF file containing a .debug_line_str of type GNU_HASH (which is
nonsensical in the first place). There are a couple of ways to "fix"
this. I'll post some patch(es) soon.
Thanks,
Mark
> but until then below is the full backtrace:
> ```
> ==2272==WARNING: MemorySanitizer: use-of-uninitialized-value
> #0 0x5fb3c7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:265:7
> #1 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14
> #2 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9
> #3 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13
> #4 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16
> #5 0x53c5b9 in dwfl_module_getdwarf
> /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3
> #6 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3
> #7 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
> unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
> #8 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
> #9 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
> char const*, unsigned long))
> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
> #10 0x458232 in main
> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
> #11 0x7fe0978dd0b2 in __libc_start_main
> /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
> #12 0x41f61d in _start
> Uninitialized value was created by a heap allocation
> #0 0x4e2310 in __interceptor_malloc
> /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:895:3
> #1 0x6b9935 in convert_data /src/elfutils/libelf/elf_getdata.c:166:24
> #2 0x6b9935 in __libelf_set_data_list_rdlock
> /src/elfutils/libelf/elf_getdata.c:455:7
> #3 0x6ba571 in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:562:5
> #4 0x6ba6cd in elf_getdata /src/elfutils/libelf/elf_getdata.c:580:12
> #5 0x5faec7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:246:20
> #6 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14
> #7 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9
> #8 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13
> #9 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16
> #10 0x53c5b9 in dwfl_module_getdwarf
> /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3
> #11 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3
> #12 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
> unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
> #13 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
> #14 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
> char const*, unsigned long))
> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
> #15 0x458232 in main
> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
> #16 0x7fe0978dd0b2 in __libc_start_main
> /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
> SUMMARY: MemorySanitizer: use-of-uninitialized-value
> (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-libdwfl+0x5fb3c7)
> ```
>
> It can be reproduced with `readelf` and `valgrind`
> ```
> wget -O OSS-FUZZ-56134
> 'https://oss-fuzz.com/download?testcase_id=6724057145147392'
>
> LD_LIBRARY_PATH="$(pwd)/libdw:$(pwd)/libelf" DEBUGINFOD_URLS= valgrind
> --track-origins=yes ./src/readelf -w OSS-FUZZ-56134
> ==1373524== Memcheck, a memory error detector
> ==1373524== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==1373524== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
> ==1373524== Command: ./src/readelf -w OSS-FUZZ-56134
> ==1373524==
> ==1373524== Conditional jump or move depends on uninitialised value(s)
> ==1373524== at 0x4887EAB: check_section (dwarf_begin_elf.c:265)
> ==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444)
> ==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595)
> ==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341)
> ==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391)
> ==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446)
> ==1373524== by 0x411109: print_debug (readelf.c:11467)
> ==1373524== by 0x413A31: process_elf_file (readelf.c:1062)
> ==1373524== by 0x4148BC: process_dwflmod (readelf.c:818)
> ==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86)
> ==1373524== by 0x40954A: process_file (readelf.c:926)
> ==1373524== by 0x404D0E: main (readelf.c:395)
> ==1373524== Uninitialised value was created by a heap allocation
> ==1373524== at 0x484586F: malloc (vg_replace_malloc.c:381)
> ==1373524== by 0x48FEA25: convert_data (elf_getdata.c:166)
> ==1373524== by 0x48FEA25: __libelf_set_data_list_rdlock (elf_getdata.c:455)
> ==1373524== by 0x48FEC17: __elf_getdata_rdlock (elf_getdata.c:562)
> ==1373524== by 0x4887E6F: check_section (dwarf_begin_elf.c:246)
> ==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444)
> ==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595)
> ==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341)
> ==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391)
> ==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446)
> ==1373524== by 0x411109: print_debug (readelf.c:11467)
> ==1373524== by 0x413A31: process_elf_file (readelf.c:1062)
> ==1373524== by 0x4148BC: process_dwflmod (readelf.c:818)
> ==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86)
> ==1373524== by 0x40954A: process_file (readelf.c:926)
> ==1373524==
> ./src/readelf: cannot get debug context descriptor: No DWARF information found
> ```
>
> Thanks,
> Evgeny Vereshchagin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-20 11:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-19 18:34 MemorySanitizer: Use-of-uninitialized-value in check_section Evgeny Vereshchagin
2023-02-20 11:06 ` Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).