While trying to reproduce the dumpelf crash reported in bug 890028 I discovered that there is a libfuzzer support for it and during the src_test I hit an heap overflow. I'm attaching the crash-* file and the stacktrace Tested on a1d0123581ede02b54cf2c071507612dde25236c As a side note, -print_final_stats expects an argument like 1 while we do not pass arguments. (https://github.com/gentoo/pax-utils/blob/a1d0123581ede02b54cf2c071507612dde25236c/meson.build#L170)
Created attachment 883112 [details] stacktrace
Created attachment 883113 [details] testcase
i think i tracked down the issue with repro. with a clean run, the heap is in a fairly pristine state, so the allocation is pretty well aligned. however, when libfuzzer runs for a long time, it fragments the heap, and the incoming buffer can have smaller alignment. that seems to be enough to cause ASAN to detect slightly out-of-bound reads that otherwise it misses. so by hacking up _readelf_fd to force unaligned buffers, i can repro via `dumpelf`. not sure if there's a good way to integrate this into the tool though so i don't have to keep hotpatching it. i'll have to noodle some more. --- a/paxelf.c +++ b/paxelf.c @@ -688,13 +688,12 @@ return NULL; } - ret = readelf_buffer(filename, buffer, len); - if (ret == NULL) + int off = 7; + char *x = xmalloc(len + 8); + memcpy(x + off, buffer, len); + ret = readelf_buffer(filename, x + off, len); munmap(buffer, len); - else { ret->fd = fd; - ret->is_mmap = 1; - } return ret; }
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=599d8c41b144596764b33d87d09f80948652ed92 commit 599d8c41b144596764b33d87d09f80948652ed92 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2024-01-26 03:57:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-08-09 10:06:16 +0000 dumpelf: improve note memory check Make sure the entire structure fits within the bounds of memory, not just the start of it. Bug: https://bugs.gentoo.org/922906 Signed-off-by: Mike Frysinger <vapier@gentoo.org> (cherry picked from commit a5298c41c27a35a5c2dcca0723c808029d241953) Signed-off-by: Sam James <sam@gentoo.org> dumpelf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c commit 9d250d23d6c2ff3286a8cdbfbe89f2c040b4a20c Author: Sam James <sam@gentoo.org> AuthorDate: 2024-09-22 04:38:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-09-22 04:40:13 +0000 app-misc/pax-utils: add 1.3.8 Aliaksei Urbanski (1): Fix fuzz-dumpelf test Daniel Verkamp (1): lddtree: use readlink -f for absolute links David Riley (1): lddtree: Add --wrapper-preload Frederic Cambus (2): lddtree: allow lddtree.sh to find Xenocara libraries on OpenBSD. README: fix typo: s/peforming/performing. George Burgess IV (1): lddtree: add LD_ARGV0_REL Mathias Krause (4): seccomp: make socket() fail with -ENOSYS tests: add basic pspax test pspax: fix libcap memory leaks meson: avoid using replace() to not unnecessarily bump meson >= 0.58.0 Mike Frysinger (45): Revert "paxinc: include <alloca.h> for alloca" lddtree: add docstring for all classes pylintrc: remove old entries github: update to checkout@v3 lddtree: use f-string in warn message lddtree: fix argcomplete typing elf.h: pull from latest glibc update copyright headers dumpelf: use explicit 64-bit to display off_t github: disable fuzzing on macOS github: update to checkout@v4 lddtree: use older Python typing style lddtree: disable pyelftools pylint import errors lddtree: disable mypy import errors lddtree: add some more typing info for mypy github: add python checkers lddtree: raise min version to Python 3.8 pyproject.toml: add black & isort & mypy settings pylintrc: merge into pyproject.toml requirements: pin(ish) Python deps that we use to check things drop old __BOUNDS_CHECKING_ON support fix various typos found w/codespell github: add codespell checker build: use standard config.h naming build: use standard HAVE_xxx define style pspax: rework & document get_proc_name pspax: replace proc_fopen with fopenat_r pspax: fix buffer limiting in cmdline reading pspax: fix error handling when reading attr or ipaddr fail pspax: switch from fgets to getline unify usage() output across all the tools ar: handle invalid ascii numbers better ar: handle invalid extended filename offsets ar: switch from alloca to malloc scanelf: fix hashtable overflow checks README: update macOS name paxelf: reject ELFs with incomplete Ehdr structures dumpelf: free elf after fuzzing it to avoid leaking sanitizer: fix feature tests under clang dumpelf: check dyn pointer before DT_NULL check too dumpelf: improve note memory check dumpelf: limit note name display fuzz-ar: fuzzer for the archive parsing API fuzz-dumpelf: fix stats argument fuzzer: fix unused setting on argc & argv Mike Gilbert (1): make-seccomp-filters.sh: split cflags/ldflags for libseccomp Sam James (10): Make headers standalone (missing includes, prep for clang-tidy) *: IWYU fixes *: IWYU fixes deux .github: add Alpine CI Undo IWYU fixes paxinc: include <alloca.h> for alloca porting.h: include <stddef.h> for size_t, sort includes ci: make tests verbose meson.build: prepare for pax-utils-1.3.8 CI: update muon URL Takuto Ikuta (1): lddtree: keep relativeness of invoked program in elf wrapper Zach van Rijn (1): paxelf: use correct format string Bug: https://bugs.gentoo.org/890028 Bug: https://bugs.gentoo.org/890577 Bug: https://bugs.gentoo.org/890579 Bug: https://bugs.gentoo.org/922906 Signed-off-by: Sam James <sam@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.3.8.ebuild | 77 +++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+)