Hi Mark,

I'm not subscribed to the mailing list so I can't seem to reply to
https://sourceware.org/pipermail/elfutils-devel/2021q4/004595.html directly.
All those issues can be reproduced by downloading public testcases and
passing them to ./fuzz/dwfl-core. That particular issue can be reproduced with
```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-address 
--enable-sanitize-undefined
make -j$(nproc) V=1
make -C tests fuzz-dwfl-core

wget -O CRASH https://oss-fuzz.com/download?testcase_id=4756614962348032

LD_LIBRARY_PATH="./libdw;./libelf" ./tests/fuzz-dwfl-core ./CRASH
Running: ./CRASH
=================================================================
==266852==ERROR: AddressSanitizer: unknown-crash on address 0x7f492ff9c000 at 
pc 0x7f4934340b00 bp 0x7ffc09558f30 sp 0x7ffc095586e0
READ of size 64 at 0x7f492ff9c000 thread T0
    #0 0x7f4934340aff in __interceptor_memcpy (/lib64/libasan.so.6+0x39aff)
    #1 0x7f4933f2aa90 in memcpy /usr/include/bits/string_fortified.h:29
    #2 0x7f4933f2aa90 in dwfl_segment_report_module 
/home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:385
    #3 0x7f4933f3a09d in _new.dwfl_core_file_report 
/home/vagrant/elfutils/libdwfl/core-file.c:559
    #4 0x40194b in LLVMFuzzerTestOneInput 
/home/vagrant/elfutils/tests/fuzz-dwfl-core.c:47
    #5 0x401411 in main /home/vagrant/elfutils/tests/fuzz-main.c:33
    #6 0x7f493310c55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #7 0x7f493310c60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #8 0x401654 in _start (/home/vagrant/elfutils/tests/fuzz-dwfl-core+0x401654)

Address 0x7f492ff9c000 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash (/lib64/libasan.so.6+0x39aff) in 
__interceptor_memcpy
Shadow bytes around the buggy address:
  0x0fe9a5feb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9a5feb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9a5feb800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe9a5feb850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==266852==ABORTING
```

Reply via email to