[Bug libelf/28666] memmove() reads out-of-range in elf32_xlatetom

Tue Dec 7 14:14:11 GMT 2021

https://sourceware.org/bugzilla/show_bug.cgi?id=28666

Evgeny Vereshchagin <evvers at ya dot ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |evvers at ya dot ru

--- Comment #1 from Evgeny Vereshchagin <evvers at ya dot ru> ---
FWIW There are a lot of moving parts there so in
https://github.com/google/oss-fuzz/pull/6944 I tried to make it easier to
reproduce bugs found by the fuzz target without Docker used by the oss-fuzz
toolchain. To that end I added a comment where I tried to explain how to build
it manually with clang and the build dependencies of elfutils:
https://github.com/google/oss-fuzz/blob/5f83a8b6811eaa6b1a0aa574e095ed0def8a0ce3/projects/elfutils/build.sh#L18-L36.

Apart from that I'm pretty sure all the bugs that can be found by the fuzz
target (in its current form at least) can be triggered with `./src/stack --core
...` built with ASan/UBsan or under Valgrind so this particular issue can be
triggered by running something like
```
autoreconf -i -f
./configure --enable-maintainer-mode CFLAGS='-g -O1 -fno-omit-frame-pointer
-fsanitize=address' CXXFLAGS='-g -O1 -fno-omit-frame-pointer
-fsanitize=address'
ASAN_OPTIONS=detect_leaks=0 make -j$(nproc) V=1
$ LD_PRELOAD="/lib64/libasan.so.6 ./libelf/libelf.so ./libdw/libdw.so" 
./src/stack --core ../poc1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==52660==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd5b4e5d000 (pc
0x7fd5b8a86368 bp 0x7fff4773cb50 sp 0x7fff4773cb18 T0)
==52660==The signal is caused by a READ memory access.
    #0 0x7fd5b8a86368 in __sanitizer::internal_memmove(void*, void const*,
unsigned long) (/lib64/libasan.so.6+0xc5368)
    #1 0x7fd5b898aa42 in memmove /usr/include/bits/string_fortified.h:36
    #2 0x7fd5b898aa42 in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:96
    #3 0x7fd5b88c285b in dwfl_link_map_report
/home/vagrant/elfutils/libdwfl/link_map.c:895
    #4 0x7fd5b88c7877 in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:548
    #5 0x4037b8 in parse_opt /home/vagrant/elfutils/src/stack.c:595
    #6 0x7fd5b84bef81 in __argp_parse (/lib64/libc.so.6+0x10cf81)
    #7 0x404b7d in main /home/vagrant/elfutils/src/stack.c:695
    #8 0x7fd5b83d9b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
    #9 0x40256d in _start (/home/vagrant/elfutils/src/stack+0x40256d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.6+0xc5368) in
__sanitizer::internal_memmove(void*, void const*, unsigned long)
==52660==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.