OSS-Fuzz issue 48804

[oss-fuzz-robot]

OSS-Fuzz has found a bug in this project. Please see https://oss-fuzz.com/testcase?key=5040003935240192 for details and reproducers.

This issue is mirrored from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48804 and will auto-close if the status changes there.

If you have trouble accessing this report, please file an issue at https://github.com/google/oss-fuzz/issues/new.

[anakryiko]

+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-db50767c77a272a7498d065478cd569b3696cb8b
Time ran: 0.27378416061401367

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3469529618
INFO: Loaded 1 modules   (10358 inline 8-bit counters): 10358 [0x83ae7f0, 0x83b1066),
INFO: Loaded 1 PC tables (10358 PCs): 10358 [0x832335c,0x833770c),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-db50767c77a272a7498d065478cd569b3696cb8b
=================================================================
==781702==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x6aaff800,0xf2aff800) and [0x6df03980, 0xf5f03980) overlap
SCARINESS: 10 (memcpy-param-overlap)
	#0 0x818569c in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
	#1 0x8217b85 in bpf_object__init_prog libbpf/src/libbpf.c:777:2
	#2 0x8217b85 in bpf_object__add_programs libbpf/src/libbpf.c:850:9
	#3 0x81dbbcb in bpf_object__elf_collect libbpf/src/libbpf.c:3465:11
	#4 0x81dbbcb in bpf_object_open libbpf/src/libbpf.c:7276:16
	#5 0x81e0deb in bpf_object__open_mem libbpf/src/libbpf.c:7316:20
	#6 0x81c9b29 in LLVMFuzzerTestOneInput libbpf/fuzz/bpf-object-fuzzer.c:16:8
	#7 0x808a9ee in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	#8 0x807594e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	#9 0x807b550 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	#10 0x80a5137 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#11 0xf7bb3ee4 in __libc_start_main
	#12 0x806ca95 in _start

0x6aaff800 is located 0 bytes inside of 2281701376-byte region [0x6aaff800,0xf2aff800)
allocated by thread T0 here:
	#0 0x818647f in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
	#1 0x8217b41 in bpf_object__init_prog libbpf/src/libbpf.c:774:16
	#2 0x8217b41 in bpf_object__add_programs libbpf/src/libbpf.c:850:9
	#3 0x81dbbcb in bpf_object__elf_collect libbpf/src/libbpf.c:3465:11
	#4 0x81dbbcb in bpf_object_open libbpf/src/libbpf.c:7276:16
	#5 0x81e0deb in bpf_object__open_mem libbpf/src/libbpf.c:7316:20
	#6 0x81c9b29 in LLVMFuzzerTestOneInput libbpf/fuzz/bpf-object-fuzzer.c:16:8
	#7 0x808a9ee in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	#8 0x807594e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	#9 0x807b550 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	#10 0x80a5137 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#11 0xf7bb3ee4 in __libc_start_main

0x6df03980 is located 2067808640 bytes to the right of 2281701376-byte region [0x6aaff800,0xf2aff800)
allocated by thread T0 here:
	#0 0x818647f in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
	#1 0x8217b41 in bpf_object__init_prog libbpf/src/libbpf.c:774:16
	#2 0x8217b41 in bpf_object__add_programs libbpf/src/libbpf.c:850:9
	#3 0x81dbbcb in bpf_object__elf_collect libbpf/src/libbpf.c:3465:11
	#4 0x81dbbcb in bpf_object_open libbpf/src/libbpf.c:7276:16
	#5 0x81e0deb in bpf_object__open_mem libbpf/src/libbpf.c:7316:20
	#6 0x81c9b29 in LLVMFuzzerTestOneInput libbpf/fuzz/bpf-object-fuzzer.c:16:8
	#7 0x808a9ee in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	#8 0x807594e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	#9 0x807b550 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	#10 0x80a5137 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	#11 0xf7bb3ee4 in __libc_start_main

SUMMARY: AddressSanitizer: memcpy-param-overlap (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x818569c)
==781702==ABORTING

[anakryiko]

@evverx I can't seem to reproduce this one on the latest libbpf, even though it's still marked as non-fixed. Would you be able to validate on your side?

[evverx]

I can't seem to reproduce it on x86_64 either.

Looks like it can be reproduced in the "32-bit" OSS-Fuzz containers (where libbpf is compiled with -m32) so it seems it affects 32-bit builds only.