Bug 14455 - fuzz_ndr_drsuapi_TYPE_OUT: Stack-overflow with empty stacktrace
Summary: fuzz_ndr_drsuapi_TYPE_OUT: Stack-overflow with empty stacktrace
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-04 22:27 UTC by Douglas Bagnall
Modified: 2020-09-02 12:01 UTC (History)
0 users

See Also:


Attachments
The fuzz_ndr_drsuapi input file (384.19 KB, application/octet-stream)
2020-08-04 22:27 UTC, Douglas Bagnall
no flags Details
talloc report as ASCII art. (94.62 KB, text/plain)
2020-09-02 12:01 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2020-08-04 22:27:48 UTC
Created attachment 16163 [details]
The fuzz_ndr_drsuapi input file

oss-fuzz finds a reproducible stack overflow in fuzz_ndr_drsuapi_TYPE_OUT, which I cannot reproduce locally.
Comment 1 Douglas Bagnall 2020-09-02 11:08:31 UTC
Possibly the empty stacktrace meant it was overflowing the stack deep inside libc's free(), where ASAN dares not look. 

With:

$ ulimit -s 68
$ ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:print_summary=1:print_suppressions=0:strict_memcmp=1:use_sigaltstack=1:verbosity=2:detect_leaks=0"  bin/fuzz_ndr_drsuapi_TYPE_OUT ~/Downloads/clusterfuzz-testcase-minimized-fuzz_ndr_drsuapi_TYPE_OUT-5752070688997376 

I get a traceback that looks like:

==1713941==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7bafef40 (pc 0x560571dbc8fa bp 0x7ffe7baff770 sp 0x7ffe7bafef40 T0)
    #0 0x560571dbc8fa in free (/home/douglasb/src/samba-fuzz/bin/default/librpc/idl/fuzz_ndr_drsuapi_TYPE_OUT+0x978fa)
    #1 0x7fbac44e2c38 in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1221:2
    #2 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7
    #3 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2
    #4 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7
    #5 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2


[...]

    #245 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2
    #246 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7
    #247 0x7fbac44e299e in _tc_free_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1183:2
    #248 0x7fbac44dbff1 in _tc_free_children_internal /home/douglasb/src/samba-fuzz/bin/default/../../lib/talloc/talloc.c:1668:7

SUMMARY: AddressSanitizer: stack-overflow (/home/douglasb/src/samba-fuzz/bin/default/librpc/idl/fuzz_ndr_drsuapi_TYPE_OUT+0x978fa) in free
==1713941==ABORTING



That is, there is a talloc tree that is MORE than 248 levels deep (we don't see the end of it). Probably not too much more, because `ulimit -s 75` caused no trouble. Repeated runs around 68-70 alternate between the stack shown here, the <empty stack>, and no failure.
Comment 2 Douglas Bagnall 2020-09-02 11:09:05 UTC
This is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20419
Comment 3 Douglas Bagnall 2020-09-02 12:01:17 UTC
Created attachment 16194 [details]
talloc report as ASCII art.

Attaching the talloc report, which settles into this pattern:

                    librpc/gen_ndr/ndr_drsuapi.c:9973 contains     16 bytes in   1 blocks (ref 0) 0x60b000000780
                    librpc/gen_ndr/ndr_drsuapi.c:9967 contains   4112 bytes in 257 blocks (ref 0) 0x60b0000006d0
                        librpc/gen_ndr/ndr_drsuapi.c:9973 contains     16 bytes in   1 blocks (ref 0) 0x60b0000008e0
                        librpc/gen_ndr/ndr_drsuapi.c:9967 contains   4080 bytes in 255 blocks (ref 0) 0x60b000000830

which are both in ndr_pull_drsuapi_DsaAddressListItem_V1(). The 9967 is pulling the ->next.

struct drsuapi_DsaAddressListItem_V1 {
	struct drsuapi_DsaAddressListItem_V1 *next;/* [max_recursion(1024),unique] */
	struct lsa_String *address;/* [unique] */
};