Status: New
Owner:
CC: elfut...@sourceware.org, da...@adalogics.com, evv...@gmail.com,
izz...@google.com
Labels: ClusterFuzz Reproducible Stability-Memory-MemorySanitizer
Engine-libfuzzer OS-Linux Security_Severity-Medium Proj-elfutils
Reported-2022-03-18
Type: Bug-Security
New issue 4570
Hi,
> I looked over the "ClusterFuzz-External via monorail" emails and found
> some "real" issues.
Given that the new fuzz targets seem to just fail to compile with
```
projects/elfutils/fuzz-libdwfl.c:48:10: error: unused variable 'res'
[-Werror,-Wunused-variable]
Dwarf *res = dwfl_module_get
Hi,
> The ar_size field is a 10 character string, not zero terminated, of
> decimal digits right padded with spaces. Make sure it actually starts
> with a digit before calling atol on it. We already make sure it is
> zero terminated. Otherwise atol might produce unexpected results.
As far as I
The Verdef, Verdaux, Verneed and Vernaux structures contain fields
which point to the next structures. Make sure these offsets are
correctly aligned for the structures they point to.
Signed-off-by: Mark Wielaard
---
libelf/ChangeLog | 6 ++
libelf/version_xlate.h | 17 +---
Hi Evgeny,
On Fri, Mar 18, 2022 at 12:11:50PM +0300, Evgeny Vereshchagin wrote:
> > The ar_size field is a 10 character string, not zero terminated, of
> > decimal digits right padded with spaces. Make sure it actually starts
> > with a digit before calling atol on it. We already make sure it is
Comment #3 on issue 45628 by evv...@gmail.com: elfutils:fuzz-libdwfl:
Heap-buffer-overflow in strtol
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45628#c3
> See https://google.github.io/oss-fuzz/advanced-topics/reproducing for
> instructions to reproduce this bug locally.
FWIW this b
Hi Mark,
> I guess the idea is that there could be an atoi implementation that
> starts from the end of the string? But I think that is super unlikely
> since atoi (and strtol) is defined on the initial portion of the
> character array. The algorithm is described as working from the start
> and on
When reporting ar members they should be closed when they cannot
be processed. A comment in offline.c said that process_file called
elf_end if it returned NULL. But this is incorrect. And other places
that call process_file do call elf_end explicitly when it returns
NULL.
Signed-off-by: Mark Wiela
The values in the kernel image header aren't properly aligned.
Use memcpy and the LE16, LE32 macros to assign and check the
values.
Signed-off-by: Mark Wielaard
---
libdwfl/ChangeLog | 5 +
libdwfl/image-header.c | 24 ++--
2 files changed, 23 insertions(+), 6 delet
