Bug 15349 - samba:fuzz_ndr_cab_TYPE_STRUCT: Heap-use-after-free in _talloc_free
Summary: samba:fuzz_ndr_cab_TYPE_STRUCT: Heap-use-after-free in _talloc_free
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-02 00:19 UTC by Douglas Bagnall
Modified: 2023-05-23 04:17 UTC (History)
2 users (show)

See Also:

Attachments
the fuzz case (60 bytes, image/x-tga)
2023-04-02 00:19 UTC, Douglas Bagnall 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-04-02 00:19:31 UTC 
Created attachment 17853 [details]
the fuzz case

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608
Detailed Report: https://oss-fuzz.com/testcase?key=5298901585625088

Related to the NDR compression changes, this is not a problem in any releases, but I have restricted it to Samba devs for now in case we muck around for ages.

READ of size 4 at 0x611000000680 thread T0
	SCARINESS: 45 (4-byte-read-heap-use-after-free)
	    #0 0x5641459b4cf3 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:527:6
	    #1 0x5641459b4cf3 in _talloc_free samba/lib/talloc/talloc.c:1770:7
	    #2 0x564145a1eb69 in generic_mszip_free samba/librpc/ndr/ndr_compression.c:1005:2
	    #3 0x564145a1eb69 in ndr_push_compression_state_free samba/librpc/ndr/ndr_compression.c:1078:3
	    #4 0x5641459bdb8f in _tc_free_internal samba/lib/talloc/talloc.c:1158:7
	    #5 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7
	    #6 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2
	    #7 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7
	    #8 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2
	    #9 0x5641459b4a26 in _talloc_free_internal samba/lib/talloc/talloc.c:1248:9
	    #10 0x5641459b4a26 in _talloc_free samba/lib/talloc/talloc.c:1792:9
	    #11 0x564145a3cef4 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_cab_TYPE_STRUCT.c:0
	    #12 0x5641458812c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #13 0x56414586ca22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #14 0x5641458722cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #15 0x56414589b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #16 0x7fb917251082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #17 0x564145862bed in _start
Comment 1 Samba QA Contact 2023-05-05 03:53:04 UTC 
This bug was referenced in samba master:

ff2de50aa4bf086880ab8cd1c2aee7e998c2c22a
Comment 2 Andrew Bartlett 2023-05-23 04:17:50 UTC 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608#c4 confirms this is fixed.  

Closing.