[Bug libdw/28720] UBSan: member access within misaligned address 0x7f6e8d80f142 for type 'struct Elf32_Phdr', which requires 4 byte alignment

mark at klomp dot org sourceware-bugzilla@sourceware.org
Thu Jan 6 15:55:08 GMT 2022 

https://sourceware.org/bugzilla/show_bug.cgi?id=28720

--- Comment #13 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Evgeny Vereshchagin from comment #9)
> According to OSS-Fuzz looks like that commit triggered
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43307 (which was also
> reported in
> https://sourceware.org/pipermail/elfutils-devel/2022q1/004623.html):
> ```
> $ wget -O CRASH 'https://oss-fuzz.com/download?testcase_id=4696722113167360'
> $ LD_LIBRARY_PATH="./libdw;./libelf" ./src/stack --core ./CRASH
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==153072==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbe8640afe0
> (pc 0x7fbe89eb2fc7 bp 0x7fffe2855510 sp 0x7fffe2855020 T0)
> ==153072==The signal is caused by a READ memory access.
>     #0 0x7fbe89eb2fc7 in __bswap_64 /usr/include/bits/byteswap.h:73
>     #1 0x7fbe89eb2fc7 in read_addrs
> /home/vagrant/elfutils/libdwfl/link_map.c:288
>     #2 0x7fbe89eb2fc7 in report_r_debug
> /home/vagrant/elfutils/libdwfl/link_map.c:341
>     #3 0x7fbe89eb2fc7 in dwfl_link_map_report
> /home/vagrant/elfutils/libdwfl/link_map.c:1117
>     #4 0x7fbe89eb7103 in _new.dwfl_core_file_report
> /home/vagrant/elfutils/libdwfl/core-file.c:552
>     #5 0x403d06 in parse_opt /home/vagrant/elfutils/src/stack.c:595
>     #6 0x7fbe89a90471 in argp_parse (/lib64/libc.so.6+0x11e471)
>     #7 0x40281d in main /home/vagrant/elfutils/src/stack.c:695
>     #8 0x7fbe8999f55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
>     #9 0x7fbe8999f60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
>     #10 0x402c94 in _start (/home/vagrant/elfutils/src/stack+0x402c94)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /usr/include/bits/byteswap.h:73 in __bswap_64
> ==153072==ABORTING
> ```

Interesting, that looks like an incomplete overflow check in read_addrs.
Proposed fix:
https://sourceware.org/pipermail/elfutils-devel/2022q1/004633.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Elfutils-devel mailing list