Bug 15349 - samba:fuzz_ndr_cab_TYPE_STRUCT: Heap-use-after-free in _talloc_free
Summary: samba:fuzz_ndr_cab_TYPE_STRUCT: Heap-use-after-free in _talloc_free
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Reported: 2023-04-02 00:19 UTC by Douglas Bagnall
Modified: 2023-05-23 04:17 UTC (History)
2 users (show)

See Also:

the fuzz case (60 bytes, image/x-tga)
2023-04-02 00:19 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-04-02 00:19:31 UTC
Created attachment 17853 [details]
the fuzz case

Detailed Report: https://oss-fuzz.com/testcase?key=5298901585625088

Related to the NDR compression changes, this is not a problem in any releases, but I have restricted it to Samba devs for now in case we muck around for ages.

READ of size 4 at 0x611000000680 thread T0
	SCARINESS: 45 (4-byte-read-heap-use-after-free)
	    #0 0x5641459b4cf3 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:527:6
	    #1 0x5641459b4cf3 in _talloc_free samba/lib/talloc/talloc.c:1770:7
	    #2 0x564145a1eb69 in generic_mszip_free samba/librpc/ndr/ndr_compression.c:1005:2
	    #3 0x564145a1eb69 in ndr_push_compression_state_free samba/librpc/ndr/ndr_compression.c:1078:3
	    #4 0x5641459bdb8f in _tc_free_internal samba/lib/talloc/talloc.c:1158:7
	    #5 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7
	    #6 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2
	    #7 0x5641459bd717 in _tc_free_children_internal samba/lib/talloc/talloc.c:1669:7
	    #8 0x5641459bd717 in _tc_free_internal samba/lib/talloc/talloc.c:1184:2
	    #9 0x5641459b4a26 in _talloc_free_internal samba/lib/talloc/talloc.c:1248:9
	    #10 0x5641459b4a26 in _talloc_free samba/lib/talloc/talloc.c:1792:9
	    #11 0x564145a3cef4 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_cab_TYPE_STRUCT.c:0
	    #12 0x5641458812c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #13 0x56414586ca22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #14 0x5641458722cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #15 0x56414589b802 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #16 0x7fb917251082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #17 0x564145862bed in _start
Comment 1 Samba QA Contact 2023-05-05 03:53:04 UTC
This bug was referenced in samba master:

Comment 2 Andrew Bartlett 2023-05-23 04:17:50 UTC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608#c4 confirms this is fixed.