On Fri, Sep 5, 2025 at 6:24 PM Mark Wielaard <[email protected]> wrote: > > Hi Aaron, > > On Fri, Sep 05, 2025 at 03:41:53PM -0400, Aaron Merey wrote: > > If libdw_open_elf detects an invalid ELF file, it may attempt to > > temporarily treat it as an ELF archive in order to check if there's > > a valid ELF file following a header. > > > > When doing this, the elf descriptor for the invalid file is given > > the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out". > > > > Afterwards libdw_open_elf will call elf_end on the elf descriptor > > for the invalid ELF file. elf_end will attempt to free the address > > of the "libdwfl is faking you out" literal, causing an invalid free. > > This code is really evil (as the comment already says). > > > Fix this by setting the ar_name to NULL before libdw_open_elf calls > > elf_end on the descriptor of the invalid ELF file. > > I like how this is the minimal that makes this work again. > > > Signed-off-by: Aaron Merey <[email protected]> > > --- > > libdwfl/open.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/libdwfl/open.c b/libdwfl/open.c > > index 43b29fa9..03e66dfa 100644 > > --- a/libdwfl/open.c > > +++ b/libdwfl/open.c > > @@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool > > close_on_fail, bool archive_ok, > > elf->state.ar.offset = offset - sizeof (struct ar_hdr); > > Elf *subelf = elf_begin (-1, elf->cmd, elf); > > elf->kind = ELF_K_NONE; > > + elf->state.ar.elf_ar_hdr.ar_name = NULL; > > if (unlikely (subelf == NULL)) > > error = DWFL_E_LIBELF; > > else > > As far as I can see/test this fixes the 440144412 and 440209728 > ossfuzz cases.
Thanks Mark, pushed as commit df9bd6bdc33. Aaron
