Created attachment 13872 [details] File triggering misaligned access While I was testing https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html I passed FUZZ_TIME=3600 to the test to run it for an hour and in the process it ran into another misaligned access. Just to make sure it isn't https://sourceware.org/bugzilla/show_bug.cgi?id=28685 I pulled the master branch with the "fuzz" branch included. It can be reproduced with `./src/stack`: ``` autoreconf -i -f ./configure --enable-maintainer-mode --enable-sanitize-undefined make -j$(nproc) V=1 UBSAN_OPTIONS=print_stacktrace=1:print_summary=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ../SIGABRT.PC.7fffe516d84c.STACK.d7ffe76d7.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz gelf_xlate.h:42:1: runtime error: member access within misaligned address 0x7f3827783142 for type 'struct Elf32_Phdr', which requires 4 byte alignment 0x7f3827783142: note: pointer points here 00 00 00 10 00 00 00 00 00 c5 00 10 00 00 00 00 00 00 00 10 00 00 00 00 00 00 01 00 00 00 06 15 ^ #0 0x7f38295f992c in Elf32_cvt_Phdr /home/vagrant/elfutils/libelf/gelf_xlate.h:42 #1 0x7f38295f8363 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 #2 0x7f382952a821 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:925 #3 0x7f382952de80 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:548 #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #5 0x7f382878b471 in argp_parse (/lib64/libc.so.6+0x11e471) #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695 #7 0x7f382869a55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #8 0x7f382869a60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:42:1 in ```
FWIW There are at least 4 uniq crashes honggfuzz has found related to either "member access within misaligned address" or "load of misaligned address": gelf_xlate.h:42:1: runtime error: member access within misaligned address link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde for type 'Elf64_Addr' link_map.c:283:15: runtime error: load of misaligned address gelf_xlate.h:48:1: runtime error: member access within misaligned address
(In reply to Evgeny Vereshchagin from comment #1) > FWIW There are at least 4 uniq crashes honggfuzz has found related to either > "member access within misaligned address" or "load of misaligned address": > > gelf_xlate.h:42:1: runtime error: member access within misaligned address > > link_map.c:292:15: runtime error: load of misaligned address 0x7fffe5c60bde > for type 'Elf64_Addr' > > link_map.c:283:15: runtime error: load of misaligned address > > gelf_xlate.h:48:1: runtime error: member access within misaligned address Interesting. I did run afl for some time (more than a day) and it found some more issues, but none of these (yet?). I'll try honggfuzz in the future to see if it can find some more. Without reproducers for all of the above I don't know if I caught them all, but I think the following two proposed patches (also on my fuzz branch) should fix them: https://sourceware.org/pipermail/elfutils-devel/2021q4/004598.html https://sourceware.org/pipermail/elfutils-devel/2021q4/004599.html
As far as I can see with the fuzz branch rebased on top on my fuzzing branch almost all the issues including https://sourceware.org/pipermail/elfutils-devel/2021q4/004596.html are gone. Thanks! I'll attach files triggering the remaining issues shortly: ``` $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz link_map.c:1040:20: runtime error: variable length array bound evaluates to non-positive value 0 #0 0x7fbc58f053e9 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1040 #1 0x7fbc59023fa7 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552 #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471) #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in ``` ``` $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment 0x7f0817719077: note: pointer points here 00 10 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 7f 45 46 4c 46 00 00 01 01 00 01 00 08 00 ^ #0 0x7f0822689542 in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48 #1 0x7f082268835e in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 #2 0x7f0819563307 in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 #3 0x7f081956c06c in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563 #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471) #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in ```
Created attachment 13874 [details] File triggering "variable length array bound evaluates to non-positive value 0"
Created attachment 13875 [details] File triggering "member access within misaligned address"
(In reply to Mark Wielaard from comment #2) > Interesting. I did run afl for some time (more than a day) and it found some > more issues, but none of these (yet?). I'll try honggfuzz in the future to > see if it can find some more. > FWIW https://sourceware.org/pipermail/elfutils-devel/2021q4/004584.html should make it much more easier to use honggfuzz. It's safe to say that it was battle-tested in the sense that it's compatible with gcc, clang, ASan, UBsan and so on. Something like `make check V=1 VERBOSE=1 TESTS=run-fuzz-dwfl-core.sh FUZZ_TIME=3600` allows running the fuzz target for an hour with honggfuzz (if elfutils is built with `--enable-honggfuzz`)
(In reply to Evgeny Vereshchagin from comment #5) > Created attachment 13875 [details] > File triggering "member access within misaligned address" Thanks. afl++ also found this (but only after 8 days...) I pushed: commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af Author: Mark Wielaard <mark@klomp.org> Date: Fri Dec 24 02:01:32 2021 +0100 libdwfl: Calculate addr to read by hand in link_map.c read_addrs. The gcc undefined sanitizer doesn't like the trick we use to calculate the (possibly) unaligned addresses to read. So calculate them by hand as unsigned char pointers. https://sourceware.org/bugzilla/show_bug.cgi?id=28720 Signed-off-by: Mark Wielaard <mark@klomp.org> Which should this particular issue.
(In reply to Mark Wielaard from comment #7) > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af > Author: Mark Wielaard <mark@klomp.org> > Date: Fri Dec 24 02:01:32 2021 +0100 > > libdwfl: Calculate addr to read by hand in link_map.c read_addrs. > > The gcc undefined sanitizer doesn't like the trick we use to calculate > the (possibly) unaligned addresses to read. So calculate them by hand > as unsigned char pointers. > > https://sourceware.org/bugzilla/show_bug.cgi?id=28720 > > Signed-off-by: Mark Wielaard <mark@klomp.org> > > Which should this particular issue. I'm not sure but it seems it can still be triggered with that commit applied: ``` $ git log --oneline -5 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate addr to read by hand in link_map.c read_addrs. 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least minread 4fdd8588 libdwfl: Always clean up build_id.memory 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module $ autoreconf -i -f $ ./configure --enable-maintainer-mode --enable-sanitize-undefined $ make -j$(nproc) V=1 $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./attachment.cgi\?id\=13875 gelf_xlate.h:48:1: runtime error: member access within misaligned address 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment 0x7f5cd5612077: note: pointer points here 00 10 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 7f 45 46 4c 46 00 00 01 01 00 01 00 08 00 ^ #0 0x7f5cd74851fc in Elf32_cvt_Dyn /home/vagrant/elfutils/libelf/gelf_xlate.h:48 #1 0x7f5cd7484363 in elf32_xlatetom /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 #2 0x7f5cd73b4fbf in dwfl_segment_report_module /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 #3 0x7f5cd73b9fc9 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:563 #4 0x402fa0 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #5 0x7f5cd6617471 in argp_parse (/lib64/libc.so.6+0x11e471) #6 0x4026aa in main /home/vagrant/elfutils/src/stack.c:695 #7 0x7f5cd652655f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #8 0x7f5cd652660b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #9 0x402944 in _start (/home/vagrant/elfutils/src/stack+0x402944) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in ```
According to OSS-Fuzz looks like that commit triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also reported in https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html): ``` $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360' $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH AddressSanitizer:DEADLYSIGNAL ================================================================= ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0) ==153072==The signal is caused by a READ memory access. #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73 #1 0x7fbe89eb2fc7 in read_addrs /home/vagrant/elfutils/libdwfl/link_map.c:288 #2 0x7fbe89eb2fc7 in report_r_debug /home/vagrant/elfutils/libdwfl/link_map.c:341 #3 0x7fbe89eb2fc7 in dwfl_link_map_report /home/vagrant/elfutils/libdwfl/link_map.c:1117 #4 0x7fbe89eb7103 in _new.dwfl_core_file_report /home/vagrant/elfutils/libdwfl/core-file.c:552 #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595 #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471) #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695 #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64 ==153072==ABORTING ```
(In reply to Evgeny Vereshchagin from comment #8) > (In reply to Mark Wielaard from comment #7) > > commit 9f70a762ab88ceebb8a48a7c9c3ce39ff7f205af > > Author: Mark Wielaard <mark@klomp.org> > > Date: Fri Dec 24 02:01:32 2021 +0100 > > > > libdwfl: Calculate addr to read by hand in link_map.c read_addrs. > > > > The gcc undefined sanitizer doesn't like the trick we use to calculate > > the (possibly) unaligned addresses to read. So calculate them by hand > > as unsigned char pointers. > > > > https://sourceware.org/bugzilla/show_bug.cgi?id=28720 > > > > Signed-off-by: Mark Wielaard <mark@klomp.org> > > > > Which should this particular issue. > > > I'm not sure but it seems it can still be triggered with that commit applied: > ``` > $ git log --oneline -5 > 9f70a762 (HEAD -> master, origin/master, origin/HEAD) libdwfl: Calculate > addr to read by hand in link_map.c read_addrs. > 5b490793 libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report > 1cf73965 libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least > minread > 4fdd8588 libdwfl: Always clean up build_id.memory > 8f8c78cc libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module > > $ autoreconf -i -f > $ ./configure --enable-maintainer-mode --enable-sanitize-undefined > $ make -j$(nproc) V=1 > > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > ./attachment.cgi\?id\=13875 > gelf_xlate.h:48:1: runtime error: member access within misaligned address > 0x7f5cd5612077 for type 'struct Elf32_Dyn', which requires 4 byte alignment That is a different issue than the one reported in comment #5. This bug might be split up for the different issues found.
(In reply to Mark Wielaard from comment #10) > That is a different issue than the one reported in comment #5. > This bug might be split up for the different issues found. Sorry. I seem to have overlooked that. I think this issue can be closed then. In the meantime, I've just opened https://github.com/google/oss-fuzz/pull/7092 (which should help to start catching issues like that on OSS-Fuzz). It'll sort out duplicates automatically so I'd just wait for it to report what's left. Thanks!
Forgot to close the issue. As far as I can see there are two issues left. They were reported in https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html and https://sourceware.org/pipermail/elfutils-devel/2022q1/004629.html Thanks!
(In reply to Evgeny Vereshchagin from comment #9) > According to OSS-Fuzz looks like that commit triggered > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also > reported in > https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html): > ``` > $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360' > $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH > AddressSanitizer:DEADLYSIGNAL > ================================================================= > ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0 > (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0) > ==153072==The signal is caused by a READ memory access. > #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73 > #1 0x7fbe89eb2fc7 in read_addrs > /home/vagrant/elfutils/libdwfl/link_map.c:288 > #2 0x7fbe89eb2fc7 in report_r_debug > /home/vagrant/elfutils/libdwfl/link_map.c:341 > #3 0x7fbe89eb2fc7 in dwfl_link_map_report > /home/vagrant/elfutils/libdwfl/link_map.c:1117 > #4 0x7fbe89eb7103 in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:552 > #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471) > #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695 > #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64 > ==153072==ABORTING > ``` Interesting, that looks like an incomplete overflow check in read_addrs. Proposed fix: https://sourceware.org/pipermail/elfutils-devel/2022q1/004633.html
(In reply to Evgeny Vereshchagin from comment #3) > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > SIGABRT.PC.7fffe4f4e84c.STACK.1976b2f3ff.CODE.-6.ADDR.0.INSTR.mov____%eax, > %ebp.fuzz > gelf_xlate.h:48:1: runtime error: member access within misaligned address > 0x7f0817719077 for type 'struct Elf32_Dyn', which requires 4 byte alignment > 0x7f0817719077: note: pointer points here > 00 10 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 7f 45 46 4c 46 00 > 00 01 01 00 01 00 08 00 > ^ > #0 0x7f0822689542 in Elf32_cvt_Dyn > /home/vagrant/elfutils/libelf/gelf_xlate.h:48 > #1 0x7f082268835e in elf32_xlatetom > /home/vagrant/elfutils/libelf/elf32_xlatetom.c:104 > #2 0x7f0819563307 in dwfl_segment_report_module > /home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:848 > #3 0x7f081956c06c in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:563 > #4 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #5 0x7f0818721471 in argp_parse (/lib64/libc.so.6+0x11e471) > #6 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 > #7 0x7f081863055f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #8 0x7f081863060b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #9 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) > > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:48:1 in > ``` Proposed patch for this issue: https://sourceware.org/pipermail/elfutils-devel/2022q1/004635.html
(In reply to Evgeny Vereshchagin from comment #3) > $ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 > LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core > SIGABRT.PC.7fffe4f4e84c.STACK.18f0f46b60.CODE.-6.ADDR.0.INSTR.mov____%eax, > %ebp.fuzz > link_map.c:1040:20: runtime error: variable length array bound evaluates to > non-positive value 0 > #0 0x7fbc58f053e9 in dwfl_link_map_report > /home/vagrant/elfutils/libdwfl/link_map.c:1040 > #1 0x7fbc59023fa7 in _new.dwfl_core_file_report > /home/vagrant/elfutils/libdwfl/core-file.c:552 > #2 0x4053f7 in parse_opt /home/vagrant/elfutils/src/stack.c:595 > #3 0x7fbc581d9471 in argp_parse (/lib64/libc.so.6+0x11e471) > #4 0x404b39 in main /home/vagrant/elfutils/src/stack.c:695 > #5 0x7fbc580e855f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) > #6 0x7fbc580e860b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b) > #7 0x404fa4 in _start (/home/vagrant/elfutils/src/stack+0x404fa4) > > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior link_map.c:1040:20 in Proposed fix: https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html
I tested both patches with CFLite, AFL++ and hongfuzz for about ten minutes under ASan/UBSan with the reproducer testcases included in the "seed" corpus. I also unleashed the latest corpus provided by OSS-Fuzz on the fuzzer and it found nothing. Looks like both issues are gone for good. Thanks! FWIW I recently posted patch v4 where AFL/AFL++ is supported as well. I think with both `--enable-honggfuzz` and `--enable-afl` it should be possible to integrate it into buildboot smoothly. The patch can be found at https://patchwork.sourceware.org/project/elfutils/patch/20211226160323.2450838-1-evvers@ya.ru/
FWIW I tested https://sourceware.org/pipermail/elfutils-devel/2022q1/004637.html as well with gcc (since it isn't reproducible with clang), honggfuzz and the latest OSS-Fuzz corpus. That issue is gone too. Thanks!
Thanks for testing, I also ran afl++ locally for a couple of hours and things look fine. So I pushed all 3 patches. It would indeed be good to integrate fuzz testing, I'll take a closer look at your patch next week. Thanks.