Issue 441055980: elfutils:fuzz-libdwfl: Heap-buffer-overflow in gelf_getshdr

buganizer-system@google.com buganizer-system@google.com
Fri Sep 5 16:16:01 GMT 2025 

Replying to this email means your email address will be shared with the
team that works on this product.
https://issues.oss-fuzz.com/issues/441055980

Changed

ev...@gmail.com added comment #2:
It can be reproduced by building elfutils with ASan, downloading the
testcase from https://oss-fuzz.com/download?testcase_id=5433808192339968 and
running `readelf -a`:
```
git clone https://sourceware.org/git/elfutils.git
autoreconf -i -f
./configure --enable-maintainer-mode  --enable-sanitize-address
make V=1
wget -O TESTCASE-441055980
https://oss-fuzz.com/download?testcase_id=5433808192339968
LD_LIBRARY_PATH=$(pwd)/libdw:$(pwd)/libelf ./src/readelf -a
TESTCASE-441055980
```
```
=================================================================
==138206==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7d28fe1e02ac at pc 0x7fc8ffae4937 bp 0x7ffea5b28990 sp 0x7ffea5b28150
READ of size 64 at 0x7d28fe1e02ac thread T0
     #0 0x7fc8ffae4936 in memcpy (/lib64/libasan.so.8+0xe4936) (BuildId:
10b8ccd49f75c21babf1d7abe51bb63589d8471f)
     #1 0x7fc8ff6a98ac in __libdwfl_elf_address_range
/home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:76
     #2 0x7fc8ff6aa37a in __libdwfl_report_elf
/home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:247
     #3 0x7fc8ff6b121f in process_elf
/home/vagrant/elfutils/libdwfl/offline.c:137
     #4 0x7fc8ff6b121f in process_file
/home/vagrant/elfutils/libdwfl/offline.c:125
     #5 0x7fc8ff6b15bd in process_archive_member
/home/vagrant/elfutils/libdwfl/offline.c:235
     #6 0x7fc8ff6b15bd in process_archive
/home/vagrant/elfutils/libdwfl/offline.c:265
     #7 0x7fc8ff6b15bd in process_file
/home/vagrant/elfutils/libdwfl/offline.c:128
     #8 0x7fc8ff6b15bd in process_archive_member
/home/vagrant/elfutils/libdwfl/offline.c:235
     #9 0x7fc8ff6b15bd in process_archive
/home/vagrant/elfutils/libdwfl/offline.c:265
     #10 0x7fc8ff6b15bd in process_file
/home/vagrant/elfutils/libdwfl/offline.c:128
     #11 0x7fc8ff6b1eda in __libdwfl_report_offline
/home/vagrant/elfutils/libdwfl/offline.c:295
     #12 0x00000040fb04 in create_dwfl
/home/vagrant/elfutils/src/readelf.c:970
     #13 0x00000040fe62 in process_file
/home/vagrant/elfutils/src/readelf.c:1014
     #14 0x00000040295c in main /home/vagrant/elfutils/src/readelf.c:482
     #15 0x7fc8ff811574 in __libc_start_call_main (/lib64/libc.so.6+0x3574)
(BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
     #16 0x7fc8ff811627 in
__libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId:
48c4b9b1efb1df15da8e787f489128bf31893317)
     #17 0x0000004047d4 in _start
(/home/vagrant/elfutils/src/readelf+0x4047d4) (BuildId:
f53bce073c5090b8a49889e1f590b6b4a4023a28)

0x7d28fe1e02ac is located 0 bytes after 556-byte region
[0x7d28fe1e0080,0x7d28fe1e02ac)
allocated by thread T0 here:
     #0 0x7fc8ffae5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b)
(BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
     #1 0x7fc8ff6eb9b3 in smaller_buffer
/home/vagrant/elfutils/libdwfl/gzip.c:108
     #2 0x7fc8ff6eb9b3 in __libdw_gunzip
/home/vagrant/elfutils/libdwfl/gzip.c:394

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/vagrant/elfutils/libdwfl/dwfl_report_elf.c:76 in
__libdwfl_elf_address_range
Shadow bytes around the buggy address:
   0x7d28fe1e0000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d28fe1e0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d28fe1e0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x7d28fe1e0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7d28fe1e0280: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x7d28fe1e0500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
==138206==ABORTING
```
_______________________________

Reference Info: 441055980 elfutils:fuzz-libdwfl: Heap-buffer-overflow in
gelf_getshdr
component:  Public Trackers > 1362134 > OSS Fuzz
status:  New
reporter:  87...@developer.gserviceaccount.com
cc:  da...@adalogics.com, elfutils-devel@sourceware.org, ev...@gmail.com,
and 1 more
collaborators:  co...@oss-fuzz.com
type:  Vulnerability
access level:  Default access
priority:  P2
severity:  S2
hotlist:  Reproducible, Stability-Memory-AddressSanitizer
retention:  Component default
Project:  elfutils
Reported:  Aug 25, 2025


Generated by Google IssueTracker notification system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://sourceware.org/pipermail/elfutils-devel/attachments/20250905/24005b98/attachment.htm>

More information about the Elfutils-devel mailing list