Re: Fuzzing elfutils

[Mark Wielaard <mjw at redhat dot com>]

On Thu, 2014-12-18 at 21:15 +0300, Alexander Cherepanov wrote:
> > Thanks. I'll try to reproduce them soon. But without a general leb128
> > length check fix using eu-readelf -w might be somewhat unreliable (and
> > this also might impact -e/--exceptions).
> 
> There are many patches flowing and it's not clear which are relevant for 
> my crashes and when it's the right time to start fuzzing again.

Now would be a good time :) I am not aware of any pending crashers.
Although I am aware of 3 areas that still need some work because they
could potentially cause crashes on bad input (I'll update the bug soon).
Sorry there were so many changes. But sadly there were a lot of
crashers. I hope we got them all. And some of yours needed some more
general fixes that needed some discussion. But those patches are now
finally all in.

> Well, I current master against samples which I submitted earlier and it 
> seems everything is fixed except for a couple of invalid reads when 
> processing 6f100f93:
> 
> ==5634== Invalid read of size 1
> ==5634==    at 0x4E43A08: __libdw_get_uleb128 (memory-access.h:65)
> ==5634==    by 0x4E43A08: dwarf_getabbrevattr (dwarf_getabbrevattr.c:63)
> ==5634==    by 0x4097CE: print_debug_abbrev_section (readelf.c:4573)

Yes, that is one area that still needs some improvement. When processing
a "raw" abbrev with dwarf_getabbrevattr we don't know where it
originally came from and so cannot do bounds checks yet. Luckily in this
case it doesn't crash, but I think it potentially could. So we'll need
to add some tracking there.

> Further fuzzing found 3 crashes in readelf. Not sure if you want to look 
> into them now.

Yes, please do add them to the "fuzzer crash bug":
https://bugzilla.redhat.com/show_bug.cgi?id=1170810

Sorry if they don't get immediately fixed for 0.161. But the release
should already have happened and I like to include just some testsuite
cleanups and get it shipped, before continuing with more work.

Thanks,

Mark