This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Re: Fuzzing elfutils
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Fri, 19 Dec 2014 01:13:15 +0100
- Subject: Re: Fuzzing elfutils
On Thu, 2014-12-18 at 21:15 +0300, Alexander Cherepanov wrote:
> > Thanks. I'll try to reproduce them soon. But without a general leb128
> > length check fix using eu-readelf -w might be somewhat unreliable (and
> > this also might impact -e/--exceptions).
>
> There are many patches flowing and it's not clear which are relevant for
> my crashes and when it's the right time to start fuzzing again.
Now would be a good time :) I am not aware of any pending crashers.
Although I am aware of 3 areas that still need some work because they
could potentially cause crashes on bad input (I'll update the bug soon).
Sorry there were so many changes. But sadly there were a lot of
crashers. I hope we got them all. And some of yours needed some more
general fixes that needed some discussion. But those patches are now
finally all in.
> Well, I current master against samples which I submitted earlier and it
> seems everything is fixed except for a couple of invalid reads when
> processing 6f100f93:
>
> ==5634== Invalid read of size 1
> ==5634== at 0x4E43A08: __libdw_get_uleb128 (memory-access.h:65)
> ==5634== by 0x4E43A08: dwarf_getabbrevattr (dwarf_getabbrevattr.c:63)
> ==5634== by 0x4097CE: print_debug_abbrev_section (readelf.c:4573)
Yes, that is one area that still needs some improvement. When processing
a "raw" abbrev with dwarf_getabbrevattr we don't know where it
originally came from and so cannot do bounds checks yet. Luckily in this
case it doesn't crash, but I think it potentially could. So we'll need
to add some tracking there.
> Further fuzzing found 3 crashes in readelf. Not sure if you want to look
> into them now.
Yes, please do add them to the "fuzzer crash bug":
https://bugzilla.redhat.com/show_bug.cgi?id=1170810
Sorry if they don't get immediately fixed for 0.161. But the release
should already have happened and I like to include just some testsuite
cleanups and get it shipped, before continuing with more work.
Thanks,
Mark