Hi Evgeny, On Sun, 2023-02-19 at 21:34 +0300, Evgeny Vereshchagin via Elfutils- devel wrote: > OSS-Fuzz found https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56134 > introduced in fda09f5f188fb173b2123815be71ca4647a8adfb but for some > reason it wasn't delivered to the mailing list. I opened > https://github.com/google/oss-fuzz/issues/9755 to figure out what went > wrong there
The email was slightly delayed because of a spam/virus scan issues: https://inbox.sourceware.org/overseers/abee4643c0e17900e094bf87460b99e628016fc5.ca...@klomp.org/T/#u But it reached the list eventually. Although it isn't in the inbox because it contains HTML, it is in the mailman archive now (stripped of the HTML): https://sourceware.org/pipermail/elfutils-devel/2023q1/005946.html The backtraces and valgrind reports are very helpful. It isn't really introduced by commit fda09f5f188fb173b2123815be71ca4647a8adfb "libdw: check that DWARF strings are null-terminated" but that commit exposes an issue in elf_getdata.c convert_data that probably existed for some time because it starts checking data from the end of the section (where there is garbage). It is probably in the "conversion function" not converting extra garbage data at the end. The issue is trying to get a big endian ELF file containing a .debug_line_str of type GNU_HASH (which is nonsensical in the first place). There are a couple of ways to "fix" this. I'll post some patch(es) soon. Thanks, Mark > but until then below is the full backtrace: > ``` > ==2272==WARNING: MemorySanitizer: use-of-uninitialized-value > #0 0x5fb3c7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:265:7 > #1 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14 > #2 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9 > #3 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13 > #4 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16 > #5 0x53c5b9 in dwfl_module_getdwarf > /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3 > #6 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3 > #7 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 > #8 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, > unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 > #9 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) > /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 > #10 0x458232 in main > /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 > #11 0x7fe0978dd0b2 in __libc_start_main > /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 > #12 0x41f61d in _start > Uninitialized value was created by a heap allocation > #0 0x4e2310 in __interceptor_malloc > /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:895:3 > #1 0x6b9935 in convert_data /src/elfutils/libelf/elf_getdata.c:166:24 > #2 0x6b9935 in __libelf_set_data_list_rdlock > /src/elfutils/libelf/elf_getdata.c:455:7 > #3 0x6ba571 in __elf_getdata_rdlock /src/elfutils/libelf/elf_getdata.c:562:5 > #4 0x6ba6cd in elf_getdata /src/elfutils/libelf/elf_getdata.c:580:12 > #5 0x5faec7 in check_section /src/elfutils/libdw/dwarf_begin_elf.c:246:20 > #6 0x5f8d3e in global_read /src/elfutils/libdw/dwarf_begin_elf.c:444:14 > #7 0x5f8d3e in dwarf_begin_elf /src/elfutils/libdw/dwarf_begin_elf.c:595:9 > #8 0x53f28c in load_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1341:13 > #9 0x53c5b9 in find_dw /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1391:16 > #10 0x53c5b9 in dwfl_module_getdwarf > /src/elfutils/libdwfl/dwfl_module_getdwarf.c:1446:3 > #11 0x534b72 in LLVMFuzzerTestOneInput /src/fuzz-libdwfl.c:54:3 > #12 0x43dcf3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 > #13 0x429452 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, > unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 > #14 0x42ecfc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) > /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 > #15 0x458232 in main > /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 > #16 0x7fe0978dd0b2 in __libc_start_main > /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 > SUMMARY: MemorySanitizer: use-of-uninitialized-value > (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_elfutils_3ee01cb67db1a71e7adeb7f3f14722ea62f13cd5/revisions/fuzz-libdwfl+0x5fb3c7) > ``` > > It can be reproduced with `readelf` and `valgrind` > ``` > wget -O OSS-FUZZ-56134 > 'https://oss-fuzz.com/download?testcase_id=6724057145147392' > > LD_LIBRARY_PATH="$(pwd)/libdw:$(pwd)/libelf" DEBUGINFOD_URLS= valgrind > --track-origins=yes ./src/readelf -w OSS-FUZZ-56134 > ==1373524== Memcheck, a memory error detector > ==1373524== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. > ==1373524== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info > ==1373524== Command: ./src/readelf -w OSS-FUZZ-56134 > ==1373524== > ==1373524== Conditional jump or move depends on uninitialised value(s) > ==1373524== at 0x4887EAB: check_section (dwarf_begin_elf.c:265) > ==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444) > ==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595) > ==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341) > ==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391) > ==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446) > ==1373524== by 0x411109: print_debug (readelf.c:11467) > ==1373524== by 0x413A31: process_elf_file (readelf.c:1062) > ==1373524== by 0x4148BC: process_dwflmod (readelf.c:818) > ==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86) > ==1373524== by 0x40954A: process_file (readelf.c:926) > ==1373524== by 0x404D0E: main (readelf.c:395) > ==1373524== Uninitialised value was created by a heap allocation > ==1373524== at 0x484586F: malloc (vg_replace_malloc.c:381) > ==1373524== by 0x48FEA25: convert_data (elf_getdata.c:166) > ==1373524== by 0x48FEA25: __libelf_set_data_list_rdlock (elf_getdata.c:455) > ==1373524== by 0x48FEC17: __elf_getdata_rdlock (elf_getdata.c:562) > ==1373524== by 0x4887E6F: check_section (dwarf_begin_elf.c:246) > ==1373524== by 0x48885EF: global_read (dwarf_begin_elf.c:444) > ==1373524== by 0x48885EF: dwarf_begin_elf (dwarf_begin_elf.c:595) > ==1373524== by 0x48A9F0C: load_dw (dwfl_module_getdwarf.c:1341) > ==1373524== by 0x48AA0D0: find_dw (dwfl_module_getdwarf.c:1391) > ==1373524== by 0x48AA0D0: dwfl_module_getdwarf (dwfl_module_getdwarf.c:1446) > ==1373524== by 0x411109: print_debug (readelf.c:11467) > ==1373524== by 0x413A31: process_elf_file (readelf.c:1062) > ==1373524== by 0x4148BC: process_dwflmod (readelf.c:818) > ==1373524== by 0x48A7F20: dwfl_getmodules (dwfl_getmodules.c:86) > ==1373524== by 0x40954A: process_file (readelf.c:926) > ==1373524== > ./src/readelf: cannot get debug context descriptor: No DWARF information found > ``` > > Thanks, > Evgeny Vereshchagin
