Hi Aaron, On Fri, Sep 05, 2025 at 03:41:53PM -0400, Aaron Merey wrote: > If libdw_open_elf detects an invalid ELF file, it may attempt to > temporarily treat it as an ELF archive in order to check if there's > a valid ELF file following a header. > > When doing this, the elf descriptor for the invalid file is given > the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out". > > Afterwards libdw_open_elf will call elf_end on the elf descriptor > for the invalid ELF file. elf_end will attempt to free the address > of the "libdwfl is faking you out" literal, causing an invalid free.
This code is really evil (as the comment already says). > Fix this by setting the ar_name to NULL before libdw_open_elf calls > elf_end on the descriptor of the invalid ELF file. I like how this is the minimal that makes this work again. > Signed-off-by: Aaron Merey <[email protected]> > --- > libdwfl/open.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libdwfl/open.c b/libdwfl/open.c > index 43b29fa9..03e66dfa 100644 > --- a/libdwfl/open.c > +++ b/libdwfl/open.c > @@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool close_on_fail, > bool archive_ok, > elf->state.ar.offset = offset - sizeof (struct ar_hdr); > Elf *subelf = elf_begin (-1, elf->cmd, elf); > elf->kind = ELF_K_NONE; > + elf->state.ar.elf_ar_hdr.ar_name = NULL; > if (unlikely (subelf == NULL)) > error = DWFL_E_LIBELF; > else As far as I can see/test this fixes the 440144412 and 440209728 ossfuzz cases. Thanks, Mark
