Created attachment 16163 [details] The fuzz_ndr_drsuapi input file oss-fuzz finds a reproducible stack overflow in fuzz_ndr_drsuapi_TYPE_OUT, which I cannot reproduce locally.
Possibly the empty stacktrace meant it was overflowing the stack deep inside libc's free(), where ASAN dares not look. With: $ ulimit -s 68 $ ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:print_summary=1:print_suppressions=0:strict_memcmp=1:use_sigaltstack=1:verbosity=2:detect_leaks=0" bin/fuzz_ndr_drsuapi_TYPE_OUT ~/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_drsuapi_TYPE_OUT-5752070688997376 I get a traceback that looks like: ==1713941==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7bafef40 (pc 0x560571dbc8fa bp 0x7ffe7baff770 sp 0x7ffe7bafef40 T0) #0 0x560571dbc8fa in free (/home/douglasb/src/samba-fuzz/bin/default/librpc/idl/fuzz_ndr_drsuapi_TYPE_OUT+0x978fa) #1 0x7fbac44e2c38 in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1221:2 #2 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7 #3 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2 #4 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7 #5 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2 [...] #245 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2 #246 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7 #247 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2 #248 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7 SUMMARY: AddressSanitizer: stack-overflow (/home/douglasb/src/samba-fuzz/bin/default/librpc/idl/fuzz_ndr_drsuapi_TYPE_OUT+0x978fa) in free ==1713941==ABORTING That is, there is a talloc tree that is MORE than 248 levels deep (we don't see the end of it). Probably not too much more, because `ulimit -s 75` caused no trouble. Repeated runs around 68-70 alternate between the stack shown here, the <empty stack>, and no failure.
This is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20419
Created attachment 16194 [details] talloc report as ASCII art. Attaching the talloc report, which settles into this pattern: librpc/gen_ndr/ndr_drsuapi.c:9973 contains 16 bytes in 1 blocks (ref 0) 0x60b000000780 librpc/gen_ndr/ndr_drsuapi.c:9967 contains 4112 bytes in 257 blocks (ref 0) 0x60b0000006d0 librpc/gen_ndr/ndr_drsuapi.c:9973 contains 16 bytes in 1 blocks (ref 0) 0x60b0000008e0 librpc/gen_ndr/ndr_drsuapi.c:9967 contains 4080 bytes in 255 blocks (ref 0) 0x60b000000830 which are both in ndr_pull_drsuapi_DsaAddressListItem_V1(). The 9967 is pulling the ->next. struct drsuapi_DsaAddressListItem_V1 { struct drsuapi_DsaAddressListItem_V1 *next;/* [max_recursion(1024),unique] */ struct lsa_String *address;/* [unique] */ };