https://sourceware.org/bugzilla/show_bug.cgi?id=28685
Bug ID: 28685
Summary: UBSan: member access within misaligned address
0x7ff316818032 for type 'struct Elf32_Phdr'
Product: elfutils
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libelf
Assignee: unassigned at sourceware dot org
Reporter: evvers at ya dot ru
CC: elfutils-devel at sourceware dot org
Target Milestone: ---
Created attachment 13845
--> https://sourceware.org/bugzilla/attachment.cgi?id=13845&action=edit
File triggering an "alignment" check
Trying to integrate the fuzz target into the test suite in
https://github.com/evverx/elfutils/pull/49, I noticed that it triggered the
"alignment" check in both gcc and clang (which I think is a bug because
`--enable-sanitize-undefined` explicitly turns off misaligned access). It can
be reproduced by building elfutils with UBSan and passing the attachment to
`./src/stack`:
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-undefined CFLAGS='-g -O1
-fno-omit-frame-pointer' CXXFLAGS='-g -O1 -fno-omit-frame-pointer'
make -j$(nproc) V=1
UBSAN_OPTIONS=print_stacktrace=1:print_summary=1
LD_LIBRARY_PATH="./libelf:./libdw" ./src/stack --core ../oss-fuzz-41575
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1
LD_LIBRARY_PATH="./libelf:./libdw" ./src/stack --core ../oss-fuzz-41575
gelf_xlate.h:42:1: runtime error: member access within misaligned address
0x7f019ba78032 for type 'struct Elf32_Phdr', which requires 4 byte alignment
0x7f019ba78032: note: pointer points here
2b 00 48 00 00 00 00 10 00 ff ff 7f 45 4c 46 01 01 01 0c 00 ff 00 00 00 00
00 00 04 00 3e ff 00
^
#0 0x7f019d8fa5ea in Elf32_cvt_Phdr
/home/vagrant/elfutils/libelf/gelf_xlate.h:42
#1 0x7f019d8f85f3 in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
#2 0x7f019d827a76 in dwfl_segment_report_module
/home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:472
#3 0x7f019d82c6db in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:559
#4 0x402b0f in parse_opt /home/vagrant/elfutils/src/stack.c:595
#5 0x7f019ca7d471 in argp_parse (/lib64/libc.so.6+0x11e471)
#6 0x403d98 in main /home/vagrant/elfutils/src/stack.c:695
#7 0x7f019c98c55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
#8 0x7f019c98c60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
#9 0x4024c4 in _start (/home/vagrant/elfutils/src/stack+0x4024c4)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:42:1 in
```
Interestingly, judging by
https://copr-be.cloud.fedoraproject.org/results/packit/evverx-elfutils-49/fedora-rawhide-i386/03030724-elfutils/builder-live.log.gz
(where I ran the unit tests on i386) the file simply crashed the fuzz target
there
```
FAIL: run-fuzz-dwfl-core.sh
===========================
...
StandaloneFuzzTargetMain: running 1 inputs
Running:
/builddir/build/BUILD/elfutils-0.186/tests/fuzz-dwfl-core-corpus/oss-fuzz-41575
timeout: the monitored command dumped core
./test-subr.sh: line 84: 20674 Segmentation fault
LD_LIBRARY_PATH="${built_library_path}${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
$VALGRIND_CMD "$@"
*** failure in
/builddir/build/BUILD/elfutils-0.186/tests/fuzz-dwfl-core-corpus/oss-fuzz-41575
FAIL run-fuzz-dwfl-core.sh (exit status: 1)
+ false
error: Bad exit status from /var/tmp/rpm-tmp.P3WRAR (%check)
```
On OSS-Fuzz (on x86_64) that file triggered an "oom" reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41575
```
Running:
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/oom-fa37b37eafe95a0ed4ef155ccb7f8178f177061d
==9982== ERROR: libFuzzer: out-of-memory (malloc(4294971391))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52f411 in __sanitizer_print_stack_trace
/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x470a38 in fuzzer::PrintStackTrace() cxa_noexception.cpp:0
#2 0x454bb5 in fuzzer::Fuzzer::HandleMalloc(unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:131:3
#3 0x454aca in fuzzer::MallocHook(void const volatile*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:100:6
#4 0x536a37 in __sanitizer::RunMallocHooks(void const*, unsigned long)
/src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:308:5
#5 0x4a6388 in __asan::Allocator::Allocate(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:611:5
#6 0x4a6549 in Calloc
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:748:17
#7 0x4a6549 in __asan::asan_calloc(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*)
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:969:34
#8 0x525683 in __interceptor_calloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:139:10
#9 0x5f8495 in dwfl_segment_report_module
/src/elfutils/libdwfl/dwfl_segment_report_module.c:907:24
#10 0x566955 in dwfl_core_file_report
/src/elfutils/libdwfl/core-file.c:559:17
#11 0x55eaa0 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6
#12 0x456df3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) cxa_noexception.cpp:0
#13 0x442642 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#14 0x4481bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) cxa_noexception.cpp:0
#15 0x4711f2 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f4645ff30b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
#17 0x41f83d in _start
SUMMARY: libFuzzer: out-of-memory
```
--
You are receiving this mail because:
You are on the CC list for the bug.
