Hi, On Sat, Jul 29, 2023 at 03:00:49PM -0700, evv… via monorail via Elfutils-devel wrote: > > Comment #1 on issue 60887 by evv...@gmail.com: elfutils:fuzz-libelf: > Direct-leak in __libelf_decompress_zlib > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60887#c1 > > The full backtrace is > ``` > ==178009==ERROR: LeakSanitizer: detected memory leaks > Direct leak of 1 byte(s) in 1 object(s) allocated from: > #0 0x52efd6 in __interceptor_malloc > /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 > #1 0x57a228 in __libelf_decompress_zlib > /src/elfutils/libelf/elf_compress.c:370:19 > #2 0x57a987 in __libelf_decompress > /src/elfutils/libelf/elf_compress.c:440:12 > #3 0x57a987 in __libelf_decompress_elf > /src/elfutils/libelf/elf_compress.c:500:7 > #4 0x57629f in get_zdata /src/elfutils/libelf/elf_strptr.c:45:17 > #5 0x575c5e in elf_strptr /src/elfutils/libelf/elf_strptr.c:135:38 > #6 0x56c5b3 in fuzz_logic_one /src/fuzz-libelf.c:40:26 > #7 0x56cc7f in LLVMFuzzerTestOneInput /src/fuzz-libelf.c:88:3 > ``` > > I haven't figured out how to trigger that memory leak without the fuzz target > but as far as I can tell `fuzz_logic_one` was inspired by the elfgetzdata > test in > the sense that it calls elf_nextscn/elf_strptr/elf_compress. > > The code triggering the memory leak is > https://github.com/google/oss-fuzz/blob/24328c88fd610decaf311020ffc7073aec1db252/projects/elfutils/fuzz-libelf.c#L27C6-L27C20
Thanks, I can replicate it with that and valgrind. The issue is when elf_strptr has (partially) uncompressed the section data (to read the uncompressed string), the program never requests the (uncompressed) section data, but does (re)compress it. Working on a fix. Cheers, Mark
