From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=pLb6=EX=klomp.org=mark@sourceware.org>
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
	by sourceware.org (Postfix) with ESMTPS id 329E43858D1E
	for <elfutils-devel@sourceware.org>; Thu,  7 Sep 2023 12:36:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 329E43858D1E
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl [82.217.174.174])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by gnu.wildebeest.org (Postfix) with ESMTPSA id C39D23013319;
	Thu,  7 Sep 2023 14:36:14 +0200 (CEST)
Received: by r6.localdomain (Postfix, from userid 1000)
	id DBAFD3402F3; Thu,  7 Sep 2023 14:36:13 +0200 (CEST)
Message-ID: <e93b13396aa82a73bb247f7b888f7c4568b9d69c.camel@klomp.org>
Subject: Re: Issue 62071 in oss-fuzz: elfutils:fuzz-libdwfl:
 Null-dereference READ in chunk_compare
From: Mark Wielaard <mark@klomp.org>
To: Evgeny Vereshchagin <evvers@ya.ru>, elfutils-devel@sourceware.org
Cc: =?UTF-8?Q?evv=E2=80=A6?= via monorail
	 <monorail+v2.2672886254@chromium.org>
Date: Thu, 07 Sep 2023 14:36:13 +0200
In-Reply-To: <000000000000e1a42b0604c408ca@google.com>
References: 
	<0=71cc74a7ba1af446b7ed6b9a08b414d9=1491f90a54bd791097d19cec88a861b0=oss-fuzz@monorail-prod.appspotmail.com>
	 <000000000000e1a42b0604c408ca@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) 
MIME-Version: 1.0
X-Spam-Status: No, score=-3027.3 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_BARRACUDACENTRAL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <elfutils-devel.sourceware.org>

Hi Evgeny,

On Thu, 2023-09-07 at 05:31 -0700, evv=E2=80=A6 via monorail via Elfutils-d=
evel
wrote:
> Comment #1 on issue 62071 by evv...@gmail.com: elfutils:fuzz-libdwfl: Nul=
l-dereference READ in chunk_compare
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3D62071#c1
>=20
> ```
> SCARINESS: 10 (null-deref)
>     #0 0x82d35d1 in chunk_compare /src/elfutils/libelf/elf_getdata_rawchu=
nk.c:49:25
>     #1 0xf7caab3a in __tsearch
>     #2 0x8156826 in __interceptor_tsearch /src/llvm-project/compiler-rt/l=
ib/sanitizer_common/sanitizer_common_interceptors.inc:6057:15
>     #3 0x82d2a8a in elf_getdata_rawchunk /src/elfutils/libelf/elf_getdata=
_rawchunk.c:98:28
>     #4 0x81f4139 in find_elf_build_id /src/elfutils/libdwelf/dwelf_elf_gn=
u_build_id.c:88:28
>     #5 0x81f3a28 in __libdwfl_find_elf_build_id /src/elfutils/libdwelf/dw=
elf_elf_gnu_build_id.c:142:10
>     #6 0x82795e8 in __libdwfl_find_build_id /src/elfutils/libdwfl/dwfl_mo=
dule_build_id.c:70:16
>     #7 0x82795e8 in dwfl_module_build_id /src/elfutils/libdwfl/dwfl_modul=
e_build_id.c:91:20
>     #8 0x81d7ec7 in dwfl_standard_find_debuginfo /src/elfutils/libdwfl/fi=
nd-debuginfo.c:365:19
>     #9 0x81d3340 in find_debuginfo /src/elfutils/libdwfl/dwfl_module_getd=
warf.c:538:19
>     #10 0x81cff0f in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c=
:1412:16
>     #11 0x81cff0f in dwfl_module_getdwarf /src/elfutils/libdwfl/dwfl_modu=
le_getdwarf.c:1446:3
>     #12 0x81cad03 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3
>     #13 0x808ba2e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*=
, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611=
:15
>     #14 0x808b168 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigne=
d int, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt=
/lib/fuzzer/FuzzerLoop.cpp:514:3
>     #15 0x808cfdd in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuz=
zer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> =
>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7
>     #16 0x808d1de in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::S=
izedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project=
/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3
>     #17 0x807c3fc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned=
 char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/Fuzze=
rDriver.cpp:912:6
>     #18 0x80a6177 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuzzer=
Main.cpp:20:10
>     #19 0xf7bc5ed4 in __libc_start_main
>     #20 0x806dad5 in _start
> ```
> The fuzz target can be found at https://github.com/google/oss-fuzz/blob/m=
aster/projects/elfutils/fuzz-libdwfl.c

Thanks. But this doesn't really get me much further. Somehow a NULL key
got into the search tree and I am still unclear how that can happen.

If there is a reproducer/input file that would be really helpful.

Cheers,

Mark