[PATCH] libdw_open_elf: Avoid invalid free
Mark Wielaard
mark@klomp.org
Fri Sep 5 22:24:02 GMT 2025
Hi Aaron,
On Fri, Sep 05, 2025 at 03:41:53PM -0400, Aaron Merey wrote:
> If libdw_open_elf detects an invalid ELF file, it may attempt to
> temporarily treat it as an ELF archive in order to check if there's
> a valid ELF file following a header.
>
> When doing this, the elf descriptor for the invalid file is given
> the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out".
>
> Afterwards libdw_open_elf will call elf_end on the elf descriptor
> for the invalid ELF file. elf_end will attempt to free the address
> of the "libdwfl is faking you out" literal, causing an invalid free.
This code is really evil (as the comment already says).
> Fix this by setting the ar_name to NULL before libdw_open_elf calls
> elf_end on the descriptor of the invalid ELF file.
I like how this is the minimal that makes this work again.
> Signed-off-by: Aaron Merey <amerey@redhat.com>
> ---
> libdwfl/open.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libdwfl/open.c b/libdwfl/open.c
> index 43b29fa9..03e66dfa 100644
> --- a/libdwfl/open.c
> +++ b/libdwfl/open.c
> @@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool close_on_fail, bool archive_ok,
> elf->state.ar.offset = offset - sizeof (struct ar_hdr);
> Elf *subelf = elf_begin (-1, elf->cmd, elf);
> elf->kind = ELF_K_NONE;
> + elf->state.ar.elf_ar_hdr.ar_name = NULL;
> if (unlikely (subelf == NULL))
> error = DWFL_E_LIBELF;
> else
As far as I can see/test this fixes the 440144412 and 440209728
ossfuzz cases.
Thanks,
Mark
More information about the Elfutils-devel
mailing list