[Bug libelf/29000] New: Conditional jump or move depends on uninitialised value in elf_compress_gnu

Thu, 24 Mar 2022 17:09:39 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=29000

            Bug ID: 29000
           Summary: Conditional jump or move depends on uninitialised
                    value in elf_compress_gnu
           Product: elfutils
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libelf
          Assignee: unassigned at sourceware dot org
          Reporter: evvers at ya dot ru
                CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 14035
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14035&action=edit
file triggering valgrind warning

It was found with MSan on OSS-Fuzz but can be reproduced with Valgrind by
applying https://sourceware.org/pipermail/elfutils-devel/2022q1/004767.html and
running the following commands:
```
autoreconf -i -f
./configure --enable-maintainer-mode
make V=1 -j$(nproc)
make -C tests fuzz-libelf V=1
LD_LIBRARY_PATH="$(pwd)/libelf;$(pwd)/libdw" DEBUGINFOD_URLS= valgrind
--track-origins=yes ./tests/fuzz-libelf
clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992
```
```
unning: ../clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992
==65519== Conditional jump or move depends on uninitialised value(s)
==65519==    at 0x4868734: elf_compress_gnu (elf_compress_gnu.c:155)
==65519==    by 0x401553: fuzz_logic_one (fuzz-libelf.c:41)
==65519==    by 0x4016D9: LLVMFuzzerTestOneInput (fuzz-libelf.c:82)
==65519==    by 0x4012B8: main (fuzz-main.c:33)
==65519==  Uninitialised value was created by a heap allocation
==65519==    at 0x484486F: malloc (vg_replace_malloc.c:381)
==65519==    by 0x48606C6: convert_data (elf_getdata.c:168)
==65519==    by 0x48606C6: __libelf_set_data_list_rdlock (elf_getdata.c:457)
==65519==    by 0x48608C7: __elf_getdata_rdlock (elf_getdata.c:564)
==65519==    by 0x486870A: elf_compress_gnu (elf_compress_gnu.c:150)
==65519==    by 0x401553: fuzz_logic_one (fuzz-libelf.c:41)
==65519==    by 0x4016D9: LLVMFuzzerTestOneInput (fuzz-libelf.c:82)
==65519==    by 0x4012B8: main (fuzz-main.c:33)
==65519==
Done:    ../clusterfuzz-testcase-minimized-fuzz-libelf-6467719510228992: (608
bytes)
==65519==
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to