Bug 28720 - UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
Summary: UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struc...
Status: RESOLVED FIXED
Alias: None
Product: elfutils
Classification: Unclassified
Component: libdw (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Mark Wielaard
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-22 00:35 UTC by Evgeny Vereshchagin
Modified: 2022-01-07 16:39 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2021-12-24 00:00:00

Attachments
File triggering misaligned access (1.61 KB, application/x-core)
2021-12-22 00:35 UTC, Evgeny Vereshchagin 		Details
File triggering "variable length array bound evaluates to non-positive value 0" (411 bytes, application/octet-stream)
2021-12-24 08:06 UTC, Evgeny Vereshchagin 		Details
File triggering "member access within misaligned address" (511 bytes, application/x-core)
2021-12-24 08:07 UTC, Evgeny Vereshchagin 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Vereshchagin 2021-12-22 00:35:52 UTC 
Created attachment 13872 [details]
File triggering misaligned access

While I was testing https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html I passed FUZZ_TIME=3600 to the test to run it for an hour and in the process it ran into another misaligned access. Just to make sure it isn't https://sourceware.org/bugzilla/show_bug.cgi?id=28685 I pulled the master branch with the "fuzz" branch included. It can be reproduced with `./src/stack`:
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-undefined
make  -j$(nproc) V=1
UBSAN_OPTIONS=print_stacktrace=1:print_summary=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ../SIGABRT.PC.7fffe516d84c.STACK.d7ffe76d7.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
gelf_xlate.h:42:1: runtime error: member access within misaligned address 0x7f3827783142 for type 'struct Elf32_Phdr', which requires 4 byte alignment
0x7f3827783142: note: pointer points here
 00 00  00 10 00 00 00 00 00 c5  00 10 00 00 00 00 00 00  00 10 00 00 00 00 00 00  01 00 00 00 06 15
              ^
    #0 0x7f38295f992c in Elf32_cvt_Phdr /home/vagrant/elfutils/libelf/gelf_xlate.h:42
    #1 0x7f38295f8363 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f382952a821 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:925
    #3 0x7f382952de80 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:548
    #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f382878b471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f382869a55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f382869a60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:42:1 in
```
Comment 1 Evgeny Vereshchagin 2021-12-22 01:00:49 UTC 
FWIW There are at least 4 uniq crashes honggfuzz has found related to either "member access within misaligned address" or "load of misaligned address":

gelf_xlate.h:42:1: runtime error: member access within misaligned address

link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde for type 'Elf64_Addr'

link_map.c:283:15: runtime error: load of misaligned address

gelf_xlate.h:48:1: runtime error: member access within misaligned address
Comment 2 Mark Wielaard 2021-12-24 01:10:13 UTC 
(In reply to Evgeny Vereshchagin from comment #1)
> FWIW There are at least 4 uniq crashes honggfuzz has found related to either
> "member access within misaligned address" or "load of misaligned address":
> 
> gelf_xlate.h:42:1: runtime error: member access within misaligned address
> 
> link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde
> for type 'Elf64_Addr'
> 
> link_map.c:283:15: runtime error: load of misaligned address
> 
> gelf_xlate.h:48:1: runtime error: member access within misaligned address

Interesting. I did run afl for some time (more than a day) and it found some more issues, but none of these (yet?). I'll try honggfuzz in the future to see if it can find some more.

Without reproducers for all of the above I don't know if I caught them all, but I think the following two proposed patches (also on my fuzz branch) should fix them:

https://sourceware.org/pipermail/elfutils-devel/2021q4/004598.html
https://sourceware.org/pipermail/elfutils-devel/2021q4/004599.html
Comment 3 Evgeny Vereshchagin 2021-12-24 08:05:12 UTC 
As far as I can see with the fuzz branch rebased on top on my fuzzing branch almost all the issues including https://sourceware.org/pipermail/elfutils-devel/2021q4/004596.html are gone. Thanks! I'll attach files triggering the remaining issues shortly:
```
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
link_map.c:1040:20: runtime error: variable length array bound evaluates to non-positive value 0
    #0 0x7fbc58f053e9 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1040
    #1 0x7fbc59023fa7 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552
    #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
    #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in
```
```
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz
gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
0x7f0817719077: note: pointer points here
 00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00 00 01 01 00 01  00 08 00
             ^
    #0 0x7f0822689542 in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48
    #1 0x7f082268835e in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f0819563307 in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
    #3 0x7f081956c06c in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563
    #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
```
Comment 4 Evgeny Vereshchagin 2021-12-24 08:06:33 UTC 
Created attachment 13874 [details]
File triggering "variable length array bound evaluates to non-positive value 0"
Comment 5 Evgeny Vereshchagin 2021-12-24 08:07:34 UTC 
Created attachment 13875 [details]
File triggering "member access within misaligned address"
Comment 6 Evgeny Vereshchagin 2021-12-24 08:17:40 UTC 
(In reply to Mark Wielaard from comment #2)
> Interesting. I did run afl for some time (more than a day) and it found some
> more issues, but none of these (yet?). I'll try honggfuzz in the future to
> see if it can find some more.
> 

FWIW https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html should make it much more easier to use honggfuzz. It's safe to say that it was battle-tested in the sense that it's compatible with gcc, clang, ASan, UBsan and so on. Something like `make check V=1 VERBOSE=1 TESTS=run-fuzz-dwfl-core.sh FUZZ_TIME=3600` allows running the fuzz target for an hour with honggfuzz (if elfutils is built with `--enable-honggfuzz`)
Comment 7 Mark Wielaard 2022-01-03 23:42:20 UTC 
(In reply to Evgeny Vereshchagin from comment #5)
> Created attachment 13875 [details]
> File triggering "member access within misaligned address"

Thanks. afl++ also found this (but only after 8 days...)
I pushed:

commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
Author: Mark Wielaard <mark@klomp.org>
Date:   Fri Dec 24 02:01:32 2021 +0100

    libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
    
    The gcc undefined sanitizer doesn't like the trick we use to calculate
    the (possibly) unaligned addresses to read. So calculate them by hand
    as unsigned char pointers.
    
    https://sourceware.org/bugzilla/show_bug.cgi?id=28720
    
    Signed-off-by: Mark Wielaard <mark@klomp.org>

Which should this particular issue.
Comment 8 Evgeny Vereshchagin 2022-01-04 18:58:47 UTC 
(In reply to Mark Wielaard from comment #7)
> commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
> Author: Mark Wielaard <mark@klomp.org>
> Date:   Fri Dec 24 02:01:32 2021 +0100
> 
>     libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
>     
>     The gcc undefined sanitizer doesn't like the trick we use to calculate
>     the (possibly) unaligned addresses to read. So calculate them by hand
>     as unsigned char pointers.
>     
>     https://sourceware.org/bugzilla/show_bug.cgi?id=28720
>     
>     Signed-off-by: Mark Wielaard <mark@klomp.org>
> 
> Which should this particular issue.


I'm not sure but it seems it can still be triggered with that commit applied:
```
$ git log --oneline -5
9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least minread
4fdd8588 libdwfl: Always clean up build_id.memory
8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module

$ autoreconf -i -f
$ ./configure --enable-maintainer-mode --enable-sanitize-undefined
$ make -j$(nproc) V=1

$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./attachment.cgi\?id\=13875
gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
0x7f5cd5612077: note: pointer points here
 00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00 00 01 01 00 01  00 08 00
             ^
    #0 0x7f5cd74851fc in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48
    #1 0x7f5cd7484363 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
    #2 0x7f5cd73b4fbf in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
    #3 0x7f5cd73b9fc9 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563
    #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #5 0x7f5cd6617471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695
    #7 0x7f5cd652655f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #8 0x7f5cd652660b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
```
Comment 9 Evgeny Vereshchagin 2022-01-04 19:21:59 UTC 
According to OSS-Fuzz looks like that commit triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also reported in https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html):
```
$ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360'
$ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH
AddressSanitizer:DEADLYSIGNAL
=================================================================
==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0)
==153072==The signal is caused by a READ memory access.
    #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73
    #1 0x7fbe89eb2fc7 in read_addrs /home/vagrant/elfutils/libdwfl/link_map.c:288
    #2 0x7fbe89eb2fc7 in report_r_debug /home/vagrant/elfutils/libdwfl/link_map.c:341
    #3 0x7fbe89eb2fc7 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1117
    #4 0x7fbe89eb7103 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552
    #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471)
    #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695
    #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64
==153072==ABORTING
```
Comment 10 Mark Wielaard 2022-01-04 21:37:53 UTC 
(In reply to Evgeny Vereshchagin from comment #8)
> (In reply to Mark Wielaard from comment #7)
> > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af
> > Author: Mark Wielaard <mark@klomp.org>
> > Date:   Fri Dec 24 02:01:32 2021 +0100
> > 
> >     libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
> >     
> >     The gcc undefined sanitizer doesn't like the trick we use to calculate
> >     the (possibly) unaligned addresses to read. So calculate them by hand
> >     as unsigned char pointers.
> >     
> >     https://sourceware.org/bugzilla/show_bug.cgi?id=28720
> >     
> >     Signed-off-by: Mark Wielaard <mark@klomp.org>
> > 
> > Which should this particular issue.
> 
> 
> I'm not sure but it seems it can still be triggered with that commit applied:
> ```
> $ git log --oneline -5
> 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate
> addr to read by hand in link_map.c read_addrs.
> 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
> 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least
> minread
> 4fdd8588 libdwfl: Always clean up build_id.memory
> 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module
> 
> $ autoreconf -i -f
> $ ./configure --enable-maintainer-mode --enable-sanitize-undefined
> $ make -j$(nproc) V=1
> 
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> ./attachment.cgi\?id\=13875
> gelf_xlate.h:48:1: runtime error: member access within misaligned address
> 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment

That is a different issue than the one reported in comment #5.
This bug might be split up for the different issues found.
Comment 11 Evgeny Vereshchagin 2022-01-04 22:02:41 UTC 
(In reply to Mark Wielaard from comment #10)
> That is a different issue than the one reported in comment #5.
> This bug might be split up for the different issues found.

Sorry. I seem to have overlooked that. I think this issue can be closed then. In the meantime, I've just opened https://github.com/google/oss-fuzz/pull/7092 (which should help to start catching issues like that on OSS-Fuzz). It'll sort out duplicates automatically so I'd just wait for it to report what's left. Thanks!
Comment 12 Evgeny Vereshchagin 2022-01-06 00:51:04 UTC 
Forgot to close the issue.

As far as I can see there are two issues left. They were reported in https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html and https://sourceware.org/pipermail/elfutils-devel/2022q1/004629.html

Thanks!
Comment 13 Mark Wielaard 2022-01-06 15:55:08 UTC 
(In reply to Evgeny Vereshchagin from comment #9)
> According to OSS-Fuzz looks like that commit triggered
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also
> reported in
> https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html):
> ```
> $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360'
> $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0
> (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0)
> ==153072==The signal is caused by a READ memory access.
>     #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73
>     #1 0x7fbe89eb2fc7 in read_addrs
> /home/vagrant/elfutils/libdwfl/link_map.c:288
>     #2 0x7fbe89eb2fc7 in report_r_debug
> /home/vagrant/elfutils/libdwfl/link_map.c:341
>     #3 0x7fbe89eb2fc7 in dwfl_link_map_report
> /home/vagrant/elfutils/libdwfl/link_map.c:1117
>     #4 0x7fbe89eb7103 in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:552
>     #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695
>     #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64
> ==153072==ABORTING
> ```

Interesting, that looks like an incomplete overflow check in read_addrs.
Proposed fix:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004633.html
Comment 14 Mark Wielaard 2022-01-06 16:41:24 UTC 
(In reply to Evgeny Vereshchagin from comment #3)
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax,
> %ebp.fuzz
> gelf_xlate.h:48:1: runtime error: member access within misaligned address
> 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment
> 0x7f0817719077: note: pointer points here
>  00 10 00 00 00  00 00 00 00 00 02 01 00  00 00 00 00 00 7f 45 46  4c 46 00
> 00 01 01 00 01  00 08 00
>              ^
>     #0 0x7f0822689542 in Elf32_cvt_Dyn
> /home/vagrant/elfutils/libelf/gelf_xlate.h:48
>     #1 0x7f082268835e in elf32_xlatetom
> /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
>     #2 0x7f0819563307 in dwfl_segment_report_module
> /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848
>     #3 0x7f081956c06c in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:563
>     #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
>     #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)
> 
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in
> ```

Proposed patch for this issue:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004635.html
Comment 15 Mark Wielaard 2022-01-06 17:04:13 UTC 
(In reply to Evgeny Vereshchagin from comment #3)
> $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
> LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core
> SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax,
> %ebp.fuzz
> link_map.c:1040:20: runtime error: variable length array bound evaluates to
> non-positive value 0
>     #0 0x7fbc58f053e9 in dwfl_link_map_report
> /home/vagrant/elfutils/libdwfl/link_map.c:1040
>     #1 0x7fbc59023fa7 in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:552
>     #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695
>     #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4)
> 
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in

Proposed fix:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html
Comment 16 Evgeny Vereshchagin 2022-01-06 17:36:58 UTC 
I tested both patches with CFLite, AFL++ and hongfuzz for about ten minutes under ASan/UBSan with the reproducer testcases included in the "seed" corpus. I also unleashed the latest corpus provided by OSS-Fuzz on the fuzzer and it found nothing. Looks like both issues are gone for good. Thanks!

FWIW I recently posted patch v4 where AFL/AFL++ is supported as well. I think with both `--enable-honggfuzz` and `--enable-afl` it should be possible to integrate it into buildboot smoothly. The patch can be found at https://patchwork.sourceware.org/project/elfutils/patch/20211226160323.2450838-1-evvers@ya.ru/
Comment 17 Evgeny Vereshchagin 2022-01-06 20:52:30 UTC 
FWIW I tested https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html as well with gcc (since it isn't reproducible with clang), honggfuzz and the latest OSS-Fuzz corpus. That issue is gone too. Thanks!
Comment 18 Mark Wielaard 2022-01-07 16:39:34 UTC 
Thanks for testing, I also ran afl++ locally for a couple of hours and things look fine. So I pushed all 3 patches.

It would indeed be good to integrate fuzz testing, I'll take a closer look at your patch next week. Thanks.