Created attachment 13822 [details] file triggering an infinite loop in dwfl_segment_report_module One of systemd fuzz targets discovered what seems to be an infinite loop in dwfl_segment_report_module. It can be reproduced by building the master branch of the elfutils repository and passing the attachment to `./src/stack`: ``` $ git describe elfutils-0.186-7-g99782bd2 ``` ``` autoreconf -i -f ./configure --enable-maintainer-mode make -j$(nproc) V=1 LD_PRELOAD="./libelf/libelf.so ./libdw/libdw.so" ./src/stack --core oss-fuzz-41572 ``` According to `eu-stack` it's in dwfl_segment_report_module ``` #0 0x00007fa48b3eecf3 dwfl_segment_report_module #1 0x00007fa48b3f2c88 dwfl_core_file_report@@ELFUTILS_0.158 #2 0x0000000000402ec7 parse_opt #3 0x00007fa48b0abf82 argp_parse #4 0x00000000004024eb main #5 0x00007fa48afc6b75 __libc_start_main #6 0x000000000040272e _start ``` It was also reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41572 ``` ALARM: working on the last Unit for 61 seconds and the timeout value is 60 (use -timeout=N to change) ==782== ERROR: libFuzzer: timeout after 61 seconds #0 0x52fdb1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x4707e8 in fuzzer::PrintStackTrace() cxa_noexception.cpp:0 #2 0x455679 in fuzzer::Fuzzer::AlarmCallback() cxa_noexception.cpp:0 #3 0x7ff8fd7473bf in libpthread.so.0 #4 0x46e23c in HandleCmp<unsigned long> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:31 #5 0x46e23c in __sanitizer_cov_trace_cmp8 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:483:15 #6 0x5f6edb in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:546:29 #7 0x567135 in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:559:17 #8 0x55f280 in LLVMFuzzerTestOneInput /src/fuzz-dwfl-core.c:52:6 #9 0x456ca3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp:0 #10 0x4425b2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #11 0x44807a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp:0 #12 0x470fa2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #13 0x7ff8fd53b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16 #14 0x41f83d in _start SUMMARY: libFuzzer: timeout ```
Proposed fix: https://sourceware.org/pipermail/elfutils-devel/2021q4/004463.html
I applied the patch on top of the master branch with the other two patches related to libwfl applied and ran `src/stack` under Valgrind. I also ran the unit tests on four different architectures just in case and they all passed there. Looks like the issue is gone. Thanks!
Thanks for testing. Pushed as: commit 9098a37fcfb67342ad955efc71d1398e2f8a69c1 Author: Mark Wielaard <mark@klomp.org> Date: Wed Dec 8 18:02:27 2021 +0100 libdwfl: Add overflow check while iterating in dwfl_segment_report_module While iterating the notes we could overflow the len variable if the note name or description was too big. Fix this by adding an (unsigned) overflow check. https://sourceware.org/bugzilla/show_bug.cgi?id=28654 Signed-off-by: Mark Wielaard <mark@klomp.org>