Bug 14456 - fuzz: spoolss undefined behaviour indexing NULL[0].
Summary: fuzz: spoolss undefined behaviour indexing NULL[0].
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-06 22:50 UTC by Douglas Bagnall
Modified: 2024-03-28 00:32 UTC (History)
0 users

See Also:


Attachments
the fuzz input. (20 bytes, application/octet-stream)
2020-08-06 22:50 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2020-08-06 22:50:10 UTC
Created attachment 16165 [details]
the fuzz input.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22653

 	librpc/gen_ndr/ndr_spoolss.c:35202:4: runtime error: applying zero offset to null pointer
	    #0 0x55924e9fa5fe in ndr_push___spoolss_EnumPrinterDataEx samba/bin/default/librpc/gen_ndr/ndr_spoolss.c:35202:4
	    #1 0x55924ec634a3 in ndr_push_spoolss_EnumPrinterDataEx samba/bin/default/../../librpc/ndr/ndr_spoolss_buf.c:628:4
	    #2 0x55924ecb7e4f in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_spoolss_TYPE_OUT.c:305:13
	    #3 0x55924e6d3151 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:559:15
	    #4 0x55924e6be8f2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:301:6
	    #5 0x55924e6c488d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:801:9
	    #6 0x55924e6ec172 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #7 0x7f72f04db83f in __libc_start_main (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_samba_2e2f9e03439b06bef98c668055db3b9dbd019852/revisions/lib/libc.so.6+0x2083f)
	    #8 0x55924e699068 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_samba_2e2f9e03439b06bef98c668055db3b9dbd019852/revisions/fuzz_ndr_spoolss_TYPE_OUT+0x8f7068)
	
	SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior librpc/gen_ndr/ndr_spoolss.c:35202:4 in
	librpc/gen_ndr/ndr_spoolss.c:22898:4: runtime error: member access within null pointer of type 'const struct spoolss_PrinterEnumValues'
	    #0 0x55924e903704 in ndr_push_spoolss_PrinterEnumValues samba/bin/default/librpc/gen_ndr/ndr_spoolss.c:22898:4
	    #1 0x55924e9fa495 in ndr_push___spoolss_EnumPrinterDataEx samba/bin/default/librpc/gen_ndr/ndr_spoolss.c:35202:4
	    #2 0x55924ec634a3 in ndr_push_spoolss_EnumPrinterDataEx samba/bin/default/../../librpc/ndr/ndr_spoolss_buf.c:628:4
	    #3 0x55924ecb7e4f in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_spoolss_TYPE_OUT.c:305:13
	    #4 0x55924e6d3151 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:559:15
	    #5 0x55924e6be8f2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:301:6
	    #6 0x55924e6c488d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:801:9
	    #7 0x55924e6ec172 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #8 0x7f72f04db83f in __libc_start_main (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_samba_2e2f9e03439b06bef98c668055db3b9dbd019852/revisions/lib/libc.so.6+0x2083f)
	    #9 0x55924e699068 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_samba_2e2f9e03439b06bef98c668055db3b9dbd019852/revisions/fuzz_ndr_spoolss_TYPE_OUT+0x8f7068)
Comment 1 Douglas Bagnall 2020-08-06 22:53:10 UTC
the ndrdump equivalent is 

bin/ndrdump spoolss 79 out --base64-input --input AAAAAAAAAAAgICAgICAgIA==

valgrind has no complaints.