Bug 15352 - invalid write in ndr compression code
Summary: invalid write in ndr compression code
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: PIDL and libndr (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Depends on:
Reported: 2023-04-05 22:39 UTC by Douglas Bagnall
Modified: 2023-07-16 22:39 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-04-05 22:39:50 UTC
	==10091==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x58fb7eb8b000 (pc 0x7f682dc71b41 bp 0x7ffc0a91d620 sp 0x7ffc0a91d5d8 T10091)
	==10091==The signal is caused by a WRITE memory access.
	    #0 0x7f682dc71b41 in memset-vec-unaligned-erms.S:151 /build/glibc-SzIz7B/glibc-2.31/sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151
	    #1 0x58fb7c65b852 in ndr_push_zero samba/librpc/ndr/ndr_basic.c:772:2
	    #2 0x58fb7c608dd2 in ndr_pull_compression_xpress_huff_raw_chunk samba/librpc/ndr/ndr_compression.c:734:2
	    #3 0x58fb7c608dd2 in ndr_pull_compression_start samba/librpc/ndr/ndr_compression.c:857:3
	    #4 0x58fb7c5f9baa in ndr_pull_CLAIMS_SET_METADATA samba/bin/default/librpc/gen_ndr/ndr_claims.c:1149:6
	    #5 0x58fb7c56c90b in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_claims_TYPE_STRUCT.c:276:13
	    #6 0x58fb7c4ad8e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #7 0x58fb7c499042 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #8 0x58fb7c49e8ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #9 0x58fb7c4c7e22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #10 0x7f682db0a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #11 0x58fb7c48f20d in _start

I'm filing these on bugzilla because it is too easy to miss them on bugs.chromium.org.
Comment 1 Douglas Bagnall 2023-07-14 02:08:22 UTC
fixed, no backports as the code is unused at the functional levels of current releases.