Michael Hanselmann wrote: In source3/registry/reg_parse* I've come across test cases which trigger undesirable behaviour and where I'm not confident enough with the code base to address them myself. I believe the responsible code can only be invoked via the "net" command, but because I'm not sure I didn't want to file a public report. Case 1: memmove with negative length $ base64 -d >case186d811b29.dat <<'EOF' UlJS8Q== EOF Yeah, that's four bytes. I believe this one to be caused by ilen being decremented in handle_iconv_errno's inner loop. ASAN report: Illegal multibyte sequence at line 1: RRR<f1> ================================================================= ==16924==ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 0x557eac3af65f in __interceptor_memmove (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x4765f) #1 0x557eac473fbb in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:878:4 #2 0x557eac46f8b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8 #3 0x557eac48cbbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb) #4 0x7fed1c6d009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #5 0x557eac395cb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9) Address 0x7ffc9d77b825 is located in stack of thread T0 at offset 69 in frame #0 0x557eac4739ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819 This frame has 9 object(s): [32, 40) 'cd' (line 822) [64, 1088) 'buf_raw' (line 824) <== Memory access at offset 69 is inside this variable [1216, 2241) 'buf_unix' (line 825) [2384, 2392) 'pos' (line 829) [2416, 2424) 'iptr' (line 830) [2448, 2456) 'optr' (line 831) [2480, 2488) 'ilen' (line 832) [2512, 2520) 'olen' (line 833) [2544, 2568) 'opt' (line 838) […] SUMMARY: AddressSanitizer: negative-size-param (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x4765f) in __interceptor_memmove ==16924==ABORTING Case 2: Endless loop This one appears to be caused attempts to fill up the buffer in reg_parse_fd when the end of file has already been reached (read(2) returns 0). Samples: $ base64 -d <<'EOF' | gunzip -c > case3b45ccc3b.dat H4sIAODLjlwCA/v/L5whkyGPIYUhn6GcoZhBgSGIIZUhHShWzFDCUMRQCRRxBcpmAnn5QL4CQxhQ vggomwnk5wH5pgx6DAZAyMvABcbRDB4M3kA9kQzxDD4M/gzODI5AOp7BF0g7A+U8GfyAsjEMwUAV wQwhQLYvkOfMUPqRUvDw4yAHnz6OgsELgGlYh8EYCHXA6RnENmLIgbJNGZLh4jEMvEWRee8eXl8u //f8N9vK5cVVXP9v2rB+/qYw+3xko5Su8jSiLZ0zwJ4GAO4s/cYABAAA EOF $ base64 -d <<'EOF' | gunzip -c > case177d635903.dat H4sIAJ/NjlwCA/v/L5whkyGPIYUhn6GcoZhBgSGIIZUhHShWzFDCUMRQCRRxBcpmAnn5QL4CQxhQ vggomwnk5wH5pgx6DAZAyMvABcbRDB4M3kA9kQzxDD4M/gzODI5AOp7BF0g7A+U8GfyAsjEMwUAV wQwhQLYvQ8xCnCB2cePh5mSXlEsmrAs83+Qcf3x33aazEfXb71cn7sjk501dq71CYGOk4s7/O7wN ZQ/2z2iu/zfxb6heUat0zcXfsyc9fH9S2PNgKL/MYQtTkeMv+L71P9AL/RarGDPB+eD2jj09flv5 Eq++C9YJ+tURoKV0Y0n09tNrNq1aECTZ1nSFec2s0KVai6x7V9ZM+Lzl4MU9sjP2lds7dhny3L2f /f0MW3XynxdbNhc9VfnnGDBfRHaBbuyPqvl+757yTN9pG8hXVnpOVcg9pe7lg68Wa0LfBa09J7L3 7iW1ly9buXLEX/x8oFKVuHSjwH3bc9d4t33bw7i+3niahFjG5ozV17VV+jjnlT8qen19p/8JseXL 5ogwL+vbkFVbfy3htuutYxNyxLhiHaorLc+8uLft13Lt+LY8labvkqLbNAJtT2wNDjDwiYxa4/Jl 3fRrTE6r3USvNrcGWuqpKT3++IDRknOtE/vBg08k/m0vzvi9UjjactKkhaNg5AIGAHKlXeAABAAA EOF Case 3: Buffer overflow when writing NUL byte Write NUL byte past "buf_unix" in "reg_parse_fd" (just after "process_lines:" comment): $ base64 -d <<'EOF' | gunzip -c > casecbe8c2427.dat H4sIALjPjlwCA2NwZfBliGFwZihlKALCVIY8hhIgLx9MFwHpHIZgoGgJUA2ILmIoY8hkSAayioEi OQyJQHW5YLIcqLaIIRsoXgLklwBVgcyIYSgA8oqAOBdsCsiEYoZYBl4GLgYlsG2JDElAc1KB6kCm ZYLtTWWoAJIgncVACDE5BajeFkjCeFYMBijQEIuZxUCcDPZZJkNJ3f7yK45/V3S8epR2I14uf+4W ee+dz0RXshv4SHxzff2XJYbx0pWaEs+ul5XKF9hlFIu4RG73Lf3rOXHW3NxpuvVnE9Xk7zxv2p3I tlLtWjY/i1HIGhdpLy/Gub9nH5jLd/rqdYfv2uumzgq7PIldPY3Labru/65Q/nLJh1oBk/0tT2v2 eUdbzFg0NfPmamFH421aJxMPhnr7X+y0iRdSX+ex+IJ0Yaf0ahV5440Wj7cbK/jkbSjcNdvpR+WN /5Knnn8PjvvD9O/Ws4pXUqG3lbdFrf1846zzcTOFW8yhB3QNZRP6TjOsu1rDvIaHZVfMyYd1Mhev ik/a5m36Y85+y63pPmtXb8nOU5Zd0qK0yVJK8a27WqKHSOKaS7wpwULu1TsM94bVGD3xviR0u1Il rFHoxeUrm2+6Ke4x2SGitD912ZGfLcmG0xiyIn+bmx0+s+dbXuT8xfl+CgL168yNzYxCgsviz/46 b7746Wnh8zXZHDof6/yDyxdf31JkzN5YVP4kf/vkvrS1ioauYemc3RIt7znZQvpOy7XO8VU5+KeP VXKPXrzr+nMv/v5wkpA7v2TukgqHZ4e6i+Zsjfny6vHdg7+mLFjg/th4m55ppH75HYcLjEa/U4/w SeXMTuVXablo/fmJnlPA6T12usz8nBGVKbVzTNqrTJ6d/+Y0y2bGc5MlzgnymUVq/9/PyZ2QxZvR 4WyR810zd32X5ncJRd/y7VNCd746G/jTTFLTJfHx86dVtlkL02zeCJeYsmkdrXVhtpl7Y5OOyJcD DJXA9JPJkA5MT8YMOuA0psNgBExRMLYZgwkSOxnM1kdiG6CQkNTpD0zXGeBc4AJMx7nQFF8MTttA 8f8VDBoM5gya4NRNtgN0zczNjM1MDCwMLcwMTCwtLYxNjLE4wK5pwpebAAJ05DUABAAA EOF ASAN report: ==18283==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffceabff7c1 at pc 0x55d169cec996 bp 0x7ffceabfeef0 sp 0x7ffceabfeee8 WRITE of size 1 at 0x7ffceabff7c1 thread T0 #0 0x55d169cec995 in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:906:9 #1 0x55d169ce78b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8 #2 0x55d169d04bbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb) #3 0x7f3a929da09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #4 0x55d169c0dcb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9) Address 0x7ffceabff7c1 is located in stack of thread T0 at offset 2241 in frame #0 0x55d169ceb9ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819 This frame has 9 object(s): [32, 40) 'cd' (line 822) [64, 1088) 'buf_raw' (line 824) [1216, 2241) 'buf_unix' (line 825) <== Memory access at offset 2241 overflows this variable [2384, 2392) 'pos' (line 829) [2416, 2424) 'iptr' (line 830) [2448, 2456) 'optr' (line 831) [2480, 2488) 'ilen' (line 832) [2512, 2520) 'olen' (line 833) [2544, 2568) 'opt' (line 838) […] SUMMARY: AddressSanitizer: stack-buffer-overflow /src/samba/bin/default/../../source3/registry/reg_parse.c:906:9 in reg_parse_fd Here's another buffer overflow: $ base64 -d <<'EOF' | gunzip -c > case1970cabefb.dat H4sIALzRjlwCA8VSTUsDMRC9768o+QGiID0IHpYYbel+sRssxSwl7E5rYDcpk6zFf28W1oNQbY0H c0rezHuTNzMle2IPS34bRS+LFdtsk5zGyTaN6WKZsfokKqr8ka/j8lxYpKpBY83OXZwo1kq35mhn GQ/hCDoggnbPgFYZXUfkK0DuyfzqhnyjvKk4S+ufgp/61GiHpqvA/TJdTNdAmijQtEPj8oPzbqz3 NwH8/QDeXCJ1L3XGSbC80qGWBAfslZbdrAJ8A6z/scvjD1QDNpQnMnCd2Y8b9EcBUUiUPTi/f35a JewGC4W09miwpa9S7/3Y2vFxdz2d0IpxB+jOtP0E/wPkGVYBAAQAAA== EOF ASAN report: ==19348==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd2d5b381 at pc 0x55872cb09816 bp 0x7ffdd2d5a950 sp 0x7 ffdd2d5a0d8 READ of size 2 at 0x7ffdd2d5b381 thread T0 #0 0x55872cb09815 in memcmp (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x48815) #1 0x7eff6e301fda in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6 #2 0x7eff6e302b6c in srprs_nl /src/samba/bin/default/../../source3/lib/srprs.c:158:6 #3 0x55872cbcf4f5 in srprs_nl_no_eos /src/samba/bin/default/../../source3/registry/reg_parse.c:376:6 #4 0x55872cbcd26f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:909:37 #5 0x55872cbc88b8 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/utils/fuzz_reg_parse.c:52:8 #6 0x55872cbe5bbb in HonggfuzzMain (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x124bbb) #7 0x7eff6b30b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #8 0x55872caeecb9 in _start (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x2dcb9) Address 0x7ffdd2d5b381 is located in stack of thread T0 at offset 2241 in frame #0 0x55872cbcc9ff in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:819 This frame has 9 object(s): [32, 40) 'cd' (line 822) [64, 1088) 'buf_raw' (line 824) [1216, 2241) 'buf_unix' (line 825) <== Memory access at offset 2241 overflows this variable [2384, 2392) 'pos' (line 829) [2416, 2424) 'iptr' (line 830) [2448, 2456) 'optr' (line 831) [2480, 2488) 'ilen' (line 832) [2512, 2520) 'olen' (line 833) [2544, 2568) 'opt' (line 838) […] SUMMARY: AddressSanitizer: stack-buffer-overflow (/src/samba/bin/default/source3/utils/fuzz_reg_parse+0x48815) in memcmp
Jeremy has promised to work out what do to here.
All this code is accessed via reg_parse_file(), which only access a local file inside: net rpc registry import <file> So I can't see a way to get at this remotely, only when reading local files. I don't think this is a CVE, but will prepare a patchset that (hopefully) fixes all the fuzzing errors. Then we can make a final decision if this is CVE-worthy or not. Jeremy.
FYI, still working on patches for this, got sidetracked with Google stuff. Still don't think this is a CVE (yet).
I finally have a rewrite of reg_parse_fd() the (hopefully) should fix these issues. Currently testing...
Once this lands please look at MR 424 (function casts). https://gitlab.com/samba-team/samba/merge_requests/424 CCing Noel so he doesn't land this in front and cause you a rebase nightmare
Created attachment 15128 [details] git-am fix for master. Fixes the fuzzer problems listed in the bug report. Can someone else confirm this is good ? I'll look into testing now.
(In reply to Andrew Bartlett from comment #5) Thankfully I've confirmed this doesn't conflict. I'm also removing the security embargo on this one, I can't see any way this has can be plausibly exploited. It would need a user to attempt to import a malicious registry file, and that would be a bad idea anyway.
Created attachment 15142 [details] git-am fix for master. Full patch with test. Gone into CI now. I'll request a merge once it passes.
Comment on attachment 15128 [details] git-am fix for master. Passes CI. Made merge request on gitlab.
Comment on attachment 15142 [details] git-am fix for master. Bad, bloody web UI. Added review request on obsolete patch. This is the correct one :-).
Andrew, the following input also causes undesired behaviour after applying your patches: --- UkVHRURJVDQKCltIS0VZX0xPQ0FMX01BQ0hJTkVdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNPRlRX QVJFXQoKW0hLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxNaWNyb3NvZnRdCgpbSEtFWV9MT0NB TF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXQoKW0hLRVlfTE9DQUxfTUFD SElORVxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93cyBOVFxDdXJyZW50VmVyc2lvbl0KIkN1cnJl bnRWZXJzaW9uIj0iNi4xIgoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1dCgpbSEtFWV9MT0NB TF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldF0KCltIS0VZX0xPQ0FMX01BQ0hJTkVc U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XENvbnRyb2xdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNZ U1RFTVxDdXJyZW50Q29udHJvbFNldFxDb250cm9sXFByb2R1Y3RPcHRpb25zXQoiUHJvZHVjdFR5 cGUiPSJMYW5tYW5OVCIKCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9s U2V0XENvbnRyb2xcUHJpbnRdCgpbSEtFWV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29u dHJvbFNldFxDb250cm9sXFRlcm1pbmFsIFNlcnZlcl0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lT VEVNXQoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRdCgpbSEtF WV9MT0NBTF9NQUNISU5FXFNZU1RFTVxDdXJyZW50Q29udHJvbFNldFxTZXJ2aWNlc10KCltIS0VZ X0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXE5ldGxvZ29u XQoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNc TmV0bG9nb25cUGFyYW1ldGVyc10KIlJlZnVzZVBhc3N3b3JkQ2hhbmdlIj1kd29yZDowMDAwMDAw MAoKW0hLRVlfTE9DQUxfTUFDSElORVxTWVNURU1cQ3VycmVudENvbnRyb2xTZXRcU2VydmljZXNc QWxlcnRlcl0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XA== --- ASAN report: --- ==30031==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe725177a1 at pc 0x557b6bfad816 bp 0x7ffe72516d60 sp 0x7ffe725164e8 READ of size 2 at 0x7ffe725177a1 thread T0 #0 0x557b6bfad815 in memcmp (/src/samba/bin/default/source3/fuzz_reg_parse+0x61815) #1 0x7f496cb1d8ae in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6 #2 0x7f496cb1edfc in srprs_nl /src/samba/bin/default/../../source3/lib/srprs.c:158:6 #3 0x557b6c0a3fa1 in srprs_nl_no_eos /src/samba/bin/default/../../source3/registry/reg_parse.c:395:6 #4 0x557b6c0a131e in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:923:36 #5 0x557b6c099696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8 #6 0x557b6c0ad89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b) #7 0x7f496632509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #8 0x557b6bf92cb9 in _start (/src/samba/bin/default/source3/fuzz_reg_parse+0x46cb9) Address 0x7ffe725177a1 is located in stack of thread T0 at offset 2241 in frame #0 0x557b6c0a0a9f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:800 This frame has 9 object(s): [32, 40) 'cd' (line 803) [64, 1088) 'buf_in' (line 805) [1216, 2241) 'buf_out' (line 806) <== Memory access at offset 2241 overflows this variable [2384, 2392) 'iptr' (line 808) [2416, 2424) 'optr' (line 809) [2448, 2456) 'ilen' (line 810) [2480, 2488) 'olen' (line 811) [2512, 2536) 'opt' (line 818) [2576, 2584) 'pos' (line 885) ---
Great thanks, obviously it's not right yet. I'll work on this some more. Keep pounding on the fixes until I get it done right :-).
Andrew, another issue: --- Uk1HRURJVDQKCltIS0VZX0xPQ0FDSFlORVxTT0ZUV0FSRV0KCltIS0VZX0xPQ0FMX01BQ0hJTkVc U09GVFdBUkVcTWljcm9zb2Z0XQoKW0hLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxNaWNyb3Nv ZnRcV2luZG93cyBOVF0KCltIS0VZX0xPQ0FMX01BQ0hJTkVcU09GVFdBUkVcTWljcm9zb2Z0XFdp bmRvd3MgTlRcQ3VycmVudFZlMnNpb25dCiJDdXJyZW50VmVyc2lvbiI9CwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsL CwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKGgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKAoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKDgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCiEK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKMSMKZVtIS0VZX0whISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISFlISEhISEhISEhISEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhIXRWZXJzaW9uIj0iNi4xIwplW0hLRVlfTCEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhIWUhISEhISEhISEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhISEhISEhIXRPISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhZSEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISF0VmVyc2lvbiI9 IjYuMSMKZVtIS0VZX0whISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhISEhCiEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISFl ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh ISEhnMG1Gtdh7+URwOPzqTKc5achT8SeM+A6t3knWnWxS9ugoOP0kxKUcBTkO3m3R6SXBGfMufq5 zmv9PkTAt0vpkfT+ZjLN7CE4ISEhISEhIQ== --- ASAN report: --- ==4116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000620 at pc 0x5639ec61e816 bp 0x7ffe6d103ec0 sp 0x7ffe6d103648 READ of size 6 at 0x611000000620 thread T0 #0 0x5639ec61e815 in memcmp (/src/samba/bin/default/source3/fuzz_reg_parse+0x61815) #1 0x7f1715e6b8ae in srprs_str /src/samba/bin/default/../../source3/lib/srprs.c:52:6 #2 0x5639ec710f0f in srprs_val_dword /src/samba/bin/default/../../source3/registry/reg_parse.c:366:7 #3 0x5639ec70c261 in reg_parse_line /src/samba/bin/default/../../source3/registry/reg_parse.c:594:12 #4 0x5639ec71233f in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:928:13 #5 0x5639ec70a696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8 #6 0x5639ec71e89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b) #7 0x7f170f67309a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #8 0x5639ec603cb9 in _start (/src/samba/bin/default/source3/fuzz_reg_parse+0x46cb9) 0x611000000620 is located 0 bytes to the right of 224-byte region [0x611000000540,0x611000000620) allocated by thread T0 here: #0 0x5639ec6abf22 in realloc (/src/samba/bin/default/source3/fuzz_reg_parse+0xeef22) #1 0x7f1715d38611 in _talloc_realloc /src/samba/bin/default/../../lib/talloc/talloc.c:2036:13 #2 0x7f1715b96164 in cbuf_resize /src/samba/bin/default/../../source3/lib/cbuf.c:137:11 #3 0x7f1715b96b18 in cbuf_reserve /src/samba/bin/default/../../source3/lib/cbuf.c:151:3 #4 0x7f1715b97382 in cbuf_putc /src/samba/bin/default/../../source3/lib/cbuf.c:185:8 #5 0x7f1715e6bf6f in srprs_charsetinv /src/samba/bin/default/../../source3/lib/srprs.c:73:3 #6 0x7f1715e6d005 in srprs_line /src/samba/bin/default/../../source3/lib/srprs.c:177:9 #7 0x5639ec71238a in reg_parse_fd /src/samba/bin/default/../../source3/registry/reg_parse.c:923:10 #8 0x5639ec70a696 in LLVMFuzzerTestOneInput /src/samba/bin/default/../../source3/registry/fuzz_reg_parse.c:52:8 #9 0x5639ec71e89b in HonggfuzzMain (/src/samba/bin/default/source3/fuzz_reg_parse+0x16189b) ---
(In reply to hansmi from comment #11) Michael, how do you reproduce these ASAN errors ? I'm using valgrind, and don't see any overflow, plus I've also tested replacing the stack based buffers with malloced ones, and still don't see any overflow errors once I've applied the patch I attached here: https://bugzilla.samba.org/attachment.cgi?id=15142 You said: "Andrew, the following input also causes undesired behaviour after applying your patches" *Which* patches are you referring to here ? I need to confirm you've applied my patch: https://bugzilla.samba.org/attachment.cgi?id=15142 *not* the patch Andrew referred to in: https://gitlab.com/samba-team/samba/merge_requests/424 That one is merely a cleanup patch. Can you let me know so I can finish up this bug please ? Thanks, Jeremy.
Never find - figured out how to reproduce. New patch incoming...
*** Bug 13934 has been marked as a duplicate of this bug. ***
Created attachment 15146 [details] Updated git-am fix. Here's the updated fix to address the additional ASAN issues Michael found. The extra problem was srprs_str() wasn't checking that the memcmp it was doing was limited by the length of the test string *and also* the length of the input string. This should also fix the same bug reported as #13934. With this I can't get any ASAN errors with any of Michael's test data. Michael if you could confirm this I'd appreciate it. Added additional test to check successful parse but failed upload.
FYI. Gitlab CI passes with this patchset.
Created attachment 15148 [details] v3 for master - now with iconv handle leak fix. Updated with fix for leaking iconv handles based on comments from Michael.
Merged in master for 4.11. Is it worth back-porting ? It's not a security issue.
I don't think it needs backports.