Bug 13842 - Multiple bugs found in reg_parse by fuzzing
Multiple bugs found in reg_parse by fuzzing
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.10.0rc4
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
: 13934 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-18 21:06 UTC by Andrew Bartlett
Modified: 2019-05-16 00:17 UTC (History)
4 users (show)

See Also:


Attachments
git-am fix for master. (11.09 KB, patch)
2019-05-07 19:33 UTC, Jeremy Allison
no flags Details
git-am fix for master. (16.62 KB, patch)
2019-05-10 22:17 UTC, Jeremy Allison
no flags Details
Updated git-am fix. (20.24 KB, patch)
2019-05-13 22:57 UTC, Jeremy Allison
no flags Details
v3 for master - now with iconv handle leak fix. (20.62 KB, patch)
2019-05-15 00:18 UTC, Jeremy Allison
jra: review? (abartlet)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2019-03-18 21:06:38 UTC
Michael Hanselmann wrote:

In source3/registry/reg_parse* I've come across test cases which trigger
undesirable behaviour and where I'm not confident enough with the code base to
address them myself. I believe the responsible code can only be invoked via the
"net" command, but because I'm not sure I didn't want to file a public report.

Case 1: memmove with negative length

$ base64 -d >case186d811b29.dat <<'EOF'
UlJS8Q==
EOF

Yeah, that's four bytes. I believe this one to be caused by ilen being
decremented in handle_iconv_errno's inner loop. ASAN report:

Illegal multibyte sequence at line 1: RRR<f1>
=================================================================
==16924==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x557eac3af65f in __interceptor_memmove (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x4765f)
    #1 0x557eac473fbb in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:878:4
    #2 0x557eac46f8b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8
    #3 0x557eac48cbbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb)
    #4 0x7fed1c6d009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #5 0x557eac395cb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9)

Address 0x7ffc9d77b825 is located in stack of thread T0 at offset 69 in frame
    #0 0x557eac4739ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819

  This frame has 9 object(s):
    [32, 40) 'cd' (line 822)
    [64, 1088) 'buf_raw' (line 824) <== Memory access at offset 69 is inside this variable
    [1216, 2241) 'buf_unix' (line 825)
    [2384, 2392) 'pos' (line 829)
    [2416, 2424) 'iptr' (line 830)
    [2448, 2456) 'optr' (line 831)
    [2480, 2488) 'ilen' (line 832)
    [2512, 2520) 'olen' (line 833)
    [2544, 2568) 'opt' (line 838)
[…]
SUMMARY: AddressSanitizer: negative-size-param (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x4765f) in __interceptor_memmove
==16924==ABORTING

Case 2: Endless loop

This one appears to be caused attempts to fill up the buffer in reg_parse_fd
when the end of file has already been reached (read(2) returns 0). Samples:

$ base64 -d <<'EOF' | gunzip -c > case3b45ccc3b.dat
H4sIAODLjlwCA/v/L5whkyGPIYUhn6GcoZhBgSGIIZUhHShWzFDCUMRQCRRxBcpmAnn5QL4CQxhQ
vggomwnk5wH5pgx6DAZAyMvABcbRDB4M3kA9kQzxDD4M/gzODI5AOp7BF0g7A+U8GfyAsjEMwUAV
wQwhQLYvkOfMUPqRUvDw4yAHnz6OgsELgGlYh8EYCHXA6RnENmLIgbJNGZLh4jEMvEWRee8eXl8u
//f8N9vK5cVVXP9v2rB+/qYw+3xko5Su8jSiLZ0zwJ4GAO4s/cYABAAA
EOF

$ base64 -d <<'EOF' | gunzip -c > case177d635903.dat
H4sIAJ/NjlwCA/v/L5whkyGPIYUhn6GcoZhBgSGIIZUhHShWzFDCUMRQCRRxBcpmAnn5QL4CQxhQ
vggomwnk5wH5pgx6DAZAyMvABcbRDB4M3kA9kQzxDD4M/gzODI5AOp7BF0g7A+U8GfyAsjEMwUAV
wQwhQLYvQ8xCnCB2cePh5mSXlEsmrAs83+Qcf3x33aazEfXb71cn7sjk501dq71CYGOk4s7/O7wN
ZQ/2z2iu/zfxb6heUat0zcXfsyc9fH9S2PNgKL/MYQtTkeMv+L71P9AL/RarGDPB+eD2jj09flv5
Eq++C9YJ+tURoKV0Y0n09tNrNq1aECTZ1nSFec2s0KVai6x7V9ZM+Lzl4MU9sjP2lds7dhny3L2f
/f0MW3XynxdbNhc9VfnnGDBfRHaBbuyPqvl+757yTN9pG8hXVnpOVcg9pe7lg68Wa0LfBa09J7L3
7iW1ly9buXLEX/x8oFKVuHSjwH3bc9d4t33bw7i+3niahFjG5ozV17VV+jjnlT8qen19p/8JseXL
5ogwL+vbkFVbfy3htuutYxNyxLhiHaorLc+8uLft13Lt+LY8labvkqLbNAJtT2wNDjDwiYxa4/Jl
3fRrTE6r3USvNrcGWuqpKT3++IDRknOtE/vBg08k/m0vzvi9UjjactKkhaNg5AIGAHKlXeAABAAA
EOF

Case 3: Buffer overflow when writing NUL byte

Write NUL byte past "buf_unix" in "reg_parse_fd" (just after "process_lines:"
comment):

$ base64 -d <<'EOF' | gunzip -c > casecbe8c2427.dat
H4sIALjPjlwCA2NwZfBliGFwZihlKALCVIY8hhIgLx9MFwHpHIZgoGgJUA2ILmIoY8hkSAayioEi
OQyJQHW5YLIcqLaIIRsoXgLklwBVgcyIYSgA8oqAOBdsCsiEYoZYBl4GLgYlsG2JDElAc1KB6kCm
ZYLtTWWoAJIgncVACDE5BajeFkjCeFYMBijQEIuZxUCcDPZZJkNJ3f7yK45/V3S8epR2I14uf+4W
ee+dz0RXshv4SHxzff2XJYbx0pWaEs+ul5XKF9hlFIu4RG73Lf3rOXHW3NxpuvVnE9Xk7zxv2p3I
tlLtWjY/i1HIGhdpLy/Gub9nH5jLd/rqdYfv2uumzgq7PIldPY3Labru/65Q/nLJh1oBk/0tT2v2
eUdbzFg0NfPmamFH421aJxMPhnr7X+y0iRdSX+ex+IJ0Yaf0ahV5440Wj7cbK/jkbSjcNdvpR+WN
/5Knnn8PjvvD9O/Ws4pXUqG3lbdFrf1846zzcTOFW8yhB3QNZRP6TjOsu1rDvIaHZVfMyYd1Mhev
ik/a5m36Y85+y63pPmtXb8nOU5Zd0qK0yVJK8a27WqKHSOKaS7wpwULu1TsM94bVGD3xviR0u1Il
rFHoxeUrm2+6Ke4x2SGitD912ZGfLcmG0xiyIn+bmx0+s+dbXuT8xfl+CgL168yNzYxCgsviz/46
b7746Wnh8zXZHDof6/yDyxdf31JkzN5YVP4kf/vkvrS1ioauYemc3RIt7znZQvpOy7XO8VU5+KeP
VXKPXrzr+nMv/v5wkpA7v2TukgqHZ4e6i+Zsjfny6vHdg7+mLFjg/th4m55ppH75HYcLjEa/U4/w
SeXMTuVXablo/fmJnlPA6T12usz8nBGVKbVzTNqrTJ6d/+Y0y2bGc5MlzgnymUVq/9/PyZ2QxZvR
4WyR810zd32X5ncJRd/y7VNCd746G/jTTFLTJfHx86dVtlkL02zeCJeYsmkdrXVhtpl7Y5OOyJcD
DJXA9JPJkA5MT8YMOuA0psNgBExRMLYZgwkSOxnM1kdiG6CQkNTpD0zXGeBc4AJMx7nQFF8MTttA
8f8VDBoM5gya4NRNtgN0zczNjM1MDCwMLcwMTCwtLYxNjLE4wK5pwpebAAJ05DUABAAA
EOF

ASAN report:

==18283==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffceabff7c1 at pc 0x55d169cec996 bp 0x7ffceabfeef0 sp 0x7ffceabfeee8
WRITE of size 1 at 0x7ffceabff7c1 thread T0
    #0 0x55d169cec995 in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:906:9
    #1 0x55d169ce78b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8
    #2 0x55d169d04bbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb)
    #3 0x7f3a929da09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #4 0x55d169c0dcb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9)

Address 0x7ffceabff7c1 is located in stack of thread T0 at offset 2241 in frame
    #0 0x55d169ceb9ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819

  This frame has 9 object(s):
    [32, 40) 'cd' (line 822)
    [64, 1088) 'buf_raw' (line 824)
    [1216, 2241) 'buf_unix' (line 825) <== Memory access at offset 2241 overflows this variable
    [2384, 2392) 'pos' (line 829)
    [2416, 2424) 'iptr' (line 830)
    [2448, 2456) 'optr' (line 831)
    [2480, 2488) 'ilen' (line 832)
    [2512, 2520) 'olen' (line 833)
    [2544, 2568) 'opt' (line 838)
[…]
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/samba/bin/default/../../source3/registry/reg_parse.c:906:9 in reg_parse_fd


Here's another buffer overflow:

$ base64 -d <<'EOF' | gunzip -c > case1970cabefb.dat
H4sIALzRjlwCA8VSTUsDMRC9768o+QGiID0IHpYYbel+sRssxSwl7E5rYDcpk6zFf28W1oNQbY0H
c0rezHuTNzMle2IPS34bRS+LFdtsk5zGyTaN6WKZsfokKqr8ka/j8lxYpKpBY83OXZwo1kq35mhn
GQ/hCDoggnbPgFYZXUfkK0DuyfzqhnyjvKk4S+ufgp/61GiHpqvA/TJdTNdAmijQtEPj8oPzbqz3
NwH8/QDeXCJ1L3XGSbC80qGWBAfslZbdrAJ8A6z/scvjD1QDNpQnMnCd2Y8b9EcBUUiUPTi/f35a
JewGC4W09miwpa9S7/3Y2vFxdz2d0IpxB+jOtP0E/wPkGVYBAAQAAA==
EOF

ASAN report:

==19348==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd2d5b381 at pc 0x55872cb09816 bp 0x7ffdd2d5a950 sp 0x7
ffdd2d5a0d8
READ of size 2 at 0x7ffdd2d5b381 thread T0
    #0 0x55872cb09815 in memcmp (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x48815)
    #1 0x7eff6e301fda in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6
    #2 0x7eff6e302b6c in srprs_nl /src/samba/bin/default/../../source3/lib/srprs.c:158:6
    #3 0x55872cbcf4f5 in srprs_nl_no_eos /src/samba/bin/default/../../source3/registry/reg_parse.c:376:6
    #4 0x55872cbcd26f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:909:37
    #5 0x55872cbc88b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8
    #6 0x55872cbe5bbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb)
    #7 0x7eff6b30b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x55872caeecb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9)

Address 0x7ffdd2d5b381 is located in stack of thread T0 at offset 2241 in frame
    #0 0x55872cbcc9ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819

  This frame has 9 object(s):
    [32, 40) 'cd' (line 822)
    [64, 1088) 'buf_raw' (line 824)
    [1216, 2241) 'buf_unix' (line 825) <== Memory access at offset 2241 overflows this variable
    [2384, 2392) 'pos' (line 829)
    [2416, 2424) 'iptr' (line 830)
    [2448, 2456) 'optr' (line 831)
    [2480, 2488) 'ilen' (line 832)
    [2512, 2520) 'olen' (line 833)
    [2544, 2568) 'opt' (line 838)
[…]
SUMMARY: AddressSanitizer: stack-buffer-overflow (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x48815) in memcmp
Comment 1 Andrew Bartlett 2019-03-21 23:29:11 UTC
Jeremy has promised to work out what do to here.
Comment 2 Jeremy Allison 2019-03-25 17:32:07 UTC
All this code is accessed via reg_parse_file(), which only access a local file inside:

net rpc registry import <file> 

So I can't see a way to get at this remotely, only when reading local files. I don't think this is a CVE, but will prepare a patchset that (hopefully) fixes all the fuzzing errors.

Then we can make a final decision if this is CVE-worthy or not.

Jeremy.
Comment 3 Jeremy Allison 2019-03-27 19:37:04 UTC
FYI, still working on patches for this, got sidetracked with Google stuff. Still don't think this is a CVE (yet).
Comment 4 Jeremy Allison 2019-05-07 17:11:09 UTC
I finally have a rewrite of reg_parse_fd() the (hopefully) should fix these issues. Currently testing...
Comment 5 Andrew Bartlett 2019-05-07 19:05:08 UTC
Once this lands please look at MR 424 (function casts).
https://gitlab.com/samba-team/samba/merge_requests/424

CCing Noel so he doesn't land this in front and cause you a rebase nightmare
Comment 6 Jeremy Allison 2019-05-07 19:33:24 UTC
Created attachment 15128 [details]
git-am fix for master.

Fixes the fuzzer problems listed in the bug report.

Can someone else confirm this is good ? I'll look into testing now.
Comment 7 Andrew Bartlett 2019-05-10 00:54:40 UTC
(In reply to Andrew Bartlett from comment #5)
Thankfully I've confirmed this doesn't conflict. 

I'm also removing the security embargo on this one, I can't see any way this has can be plausibly exploited.  It would need a user to attempt to import a malicious registry file, and that would be a bad idea anyway.
Comment 8 Jeremy Allison 2019-05-10 22:17:52 UTC
Created attachment 15142 [details]
git-am fix for master.

Full patch with test. Gone into CI now. I'll request a merge once it passes.
Comment 9 Jeremy Allison 2019-05-10 23:16:35 UTC
Comment on attachment 15128 [details]
git-am fix for master.

Passes CI. Made merge request on gitlab.
Comment 10 Jeremy Allison 2019-05-10 23:17:40 UTC
Comment on attachment 15142 [details]
git-am fix for master.

Bad, bloody web UI. Added review request on obsolete patch. This is the correct one :-).
Comment 11 hansmi 2019-05-11 17:34:08 UTC
Andrew, the following input also causes undesired behaviour after applying your patches:

---
UkVHRURJVDQKCltIS0VZX0xPQ0FMX01BQ0hJTkVdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRX
QVJFXQoKW0hLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxNaWNyb3NvZnRdCgpbSEtFWV9MT0NB
TF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXQoKW0hLRVlfTE9DQUxfTUFD
SElORVxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93cyBOVFxDdXJyZW50VmVyc2lvbl0KIkN1cnJl
bnRWZXJzaW9uIj0iNi4xIgoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1dCgpbSEtFWV9MT0NB
TF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldF0KCltIS0VZX0xPQ0FMX01BQ0hJTkVc
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XENvbnRyb2xdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNZ
U1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFByb2R1Y3RPcHRpb25zXQoiUHJvZHVjdFR5
cGUiPSJMYW5tYW5OVCIKCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9s
U2V0XENvbnRyb2xcUHJpbnRdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29u
dHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlcl0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lT
VEVNXQoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRdCgpbSEtF
WV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxTZXJ2aWNlc10KCltIS0VZ
X0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXE5ldGxvZ29u
XQoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNc
TmV0bG9nb25cUGFyYW1ldGVyc10KIlJlZnVzZVBhc3N3b3JkQ2hhbmdlIj1kd29yZDowMDAwMDAw
MAoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNc
QWxlcnRlcl0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XA==
---

ASAN report:
---
==30031==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe725177a1 at pc 0x557b6bfad816 bp 0x7ffe72516d60 sp 0x7ffe725164e8
READ of size 2 at 0x7ffe725177a1 thread T0
    #0 0x557b6bfad815 in memcmp (/src/samba/bin/default/source3/fuzz_reg_parse+0x61815)
    #1 0x7f496cb1d8ae in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6
    #2 0x7f496cb1edfc in srprs_nl /src/samba/bin/default/../../source3/lib/srprs.c:158:6
    #3 0x557b6c0a3fa1 in srprs_nl_no_eos /src/samba/bin/default/../../source3/registry/reg_parse.c:395:6
    #4 0x557b6c0a131e in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:923:36
    #5 0x557b6c099696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8
    #6 0x557b6c0ad89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b)
    #7 0x7f496632509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x557b6bf92cb9 in _start (/src/samba/bin/default/source3/fuzz_reg_parse+0x46cb9)

Address 0x7ffe725177a1 is located in stack of thread T0 at offset 2241 in frame
    #0 0x557b6c0a0a9f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:800

  This frame has 9 object(s):
    [32, 40) 'cd' (line 803)
    [64, 1088) 'buf_in' (line 805)
    [1216, 2241) 'buf_out' (line 806) <== Memory access at offset 2241 overflows this variable
    [2384, 2392) 'iptr' (line 808)
    [2416, 2424) 'optr' (line 809)
    [2448, 2456) 'ilen' (line 810)
    [2480, 2488) 'olen' (line 811)
    [2512, 2536) 'opt' (line 818)
    [2576, 2584) 'pos' (line 885)
---
Comment 12 Jeremy Allison 2019-05-11 17:47:20 UTC
Great thanks, obviously it's not right yet. I'll work on this some more. Keep pounding on the fixes until I get it done right :-).
Comment 13 hansmi 2019-05-12 10:37:18 UTC
Andrew, another issue:

---
Uk1HRURJVDQKCltIS0VZX0xPQ0FDSFlORVxTT0ZUV0FSRV0KCltIS0VZX0xPQ0FMX01BQ0hJTkVc
U09GVFdBUkVcTWljcm9zb2Z0XQoKW0hLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxNaWNyb3Nv
ZnRcV2luZG93cyBOVF0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU09GVFdBUkVcTWljcm9zb2Z0XFdp
bmRvd3MgTlRcQ3VycmVudFZlMnNpb25dCiJDdXJyZW50VmVyc2lvbiI9CwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL
CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKGgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgo
KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKAoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKDgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCiEK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK
CgoKMSMKZVtIS0VZX0whISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISFlISEhISEhISEhISEhISEhISEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhIXRWZXJzaW9uIj0iNi4xIwplW0hLRVlfTCEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhIWUhISEhISEhISEhISEhISEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhISEhISEhIXRPISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhZSEh
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISF0VmVyc2lvbiI9
IjYuMSMKZVtIS0VZX0whISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhISEhCiEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISFl
ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh
ISEhnMG1Gtdh7+URwOPzqTKc5achT8SeM+A6t3knWnWxS9ugoOP0kxKUcBTkO3m3R6SXBGfMufq5
zmv9PkTAt0vpkfT+ZjLN7CE4ISEhISEhIQ==
---

ASAN report:
---
==4116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000620 at pc 0x5639ec61e816 bp 0x7ffe6d103ec0 sp 0x7ffe6d103648
READ of size 6 at 0x611000000620 thread T0
    #0 0x5639ec61e815 in memcmp (/src/samba/bin/default/source3/fuzz_reg_parse+0x61815)
    #1 0x7f1715e6b8ae in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6
    #2 0x5639ec710f0f in srprs_val_dword /src/samba/bin/default/../../source3/registry/reg_parse.c:366:7
    #3 0x5639ec70c261 in reg_parse_line /src/samba/bin/default/../../source3/registry/reg_parse.c:594:12
    #4 0x5639ec71233f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:928:13
    #5 0x5639ec70a696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8
    #6 0x5639ec71e89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b)
    #7 0x7f170f67309a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x5639ec603cb9 in _start (/src/samba/bin/default/source3/fuzz_reg_parse+0x46cb9)

0x611000000620 is located 0 bytes to the right of 224-byte region [0x611000000540,0x611000000620)
allocated by thread T0 here:
    #0 0x5639ec6abf22 in realloc (/src/samba/bin/default/source3/fuzz_reg_parse+0xeef22)
    #1 0x7f1715d38611 in _talloc_realloc /src/samba/bin/default/../../lib/talloc/talloc.c:2036:13
    #2 0x7f1715b96164 in cbuf_resize /src/samba/bin/default/../../source3/lib/cbuf.c:137:11
    #3 0x7f1715b96b18 in cbuf_reserve /src/samba/bin/default/../../source3/lib/cbuf.c:151:3
    #4 0x7f1715b97382 in cbuf_putc /src/samba/bin/default/../../source3/lib/cbuf.c:185:8
    #5 0x7f1715e6bf6f in srprs_charsetinv /src/samba/bin/default/../../source3/lib/srprs.c:73:3
    #6 0x7f1715e6d005 in srprs_line /src/samba/bin/default/../../source3/lib/srprs.c:177:9
    #7 0x5639ec71238a in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:923:10
    #8 0x5639ec70a696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8
    #9 0x5639ec71e89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b)
---
Comment 14 Jeremy Allison 2019-05-13 17:50:29 UTC
(In reply to hansmi from comment #11)

Michael, how do you reproduce these ASAN errors ?

I'm using valgrind, and don't see any overflow, plus I've also tested replacing the stack based buffers with malloced ones, and still don't see any overflow errors once I've applied the patch I attached here:

https://bugzilla.samba.org/attachment.cgi?id=15142

You said: "Andrew, the following input also causes undesired behaviour after applying your patches"

*Which* patches are you referring to here ? I need to confirm you've applied my patch:

https://bugzilla.samba.org/attachment.cgi?id=15142

*not* the patch Andrew referred to in:

https://gitlab.com/samba-team/samba/merge_requests/424

That one is merely a cleanup patch.

Can you let me know so I can finish up this bug please ?

Thanks,

Jeremy.
Comment 15 Jeremy Allison 2019-05-13 20:32:54 UTC
Never find - figured out how to reproduce. New patch incoming...
Comment 16 Jeremy Allison 2019-05-13 22:52:29 UTC
*** Bug 13934 has been marked as a duplicate of this bug. ***
Comment 17 Jeremy Allison 2019-05-13 22:57:40 UTC
Created attachment 15146 [details]
Updated git-am fix.

Here's the updated fix to address the additional ASAN issues Michael found.

The extra problem was srprs_str() wasn't checking that the memcmp it was doing was limited by the length of the test string *and also* the length of the input string. This should also fix the same bug reported as #13934.

With this I can't get any ASAN errors with any of Michael's test data.

Michael if you could confirm this I'd appreciate it.

Added additional test to check successful parse but failed upload.
Comment 18 Jeremy Allison 2019-05-14 00:03:24 UTC
FYI. Gitlab CI passes with this patchset.
Comment 19 Jeremy Allison 2019-05-15 00:18:02 UTC
Created attachment 15148 [details]
v3 for master - now with iconv handle leak fix.

Updated with fix for leaking iconv handles based on comments from Michael.
Comment 20 Jeremy Allison 2019-05-15 23:44:15 UTC
Merged in master for 4.11. Is it worth back-porting ? It's not a security issue.
Comment 21 Andrew Bartlett 2019-05-16 00:17:36 UTC
I don't think it needs backports.