Bug 15415 - fuzz_ndr_claims_TYPE_STRUCT: Crash in ndr_push_zero
Summary: fuzz_ndr_claims_TYPE_STRUCT: Crash in ndr_push_zero
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jennifer Sutton
QA Contact: Samba QA Contact
URL: https://bugs.chromium.org/p/oss-fuzz/...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-05 05:28 UTC by Douglas Bagnall
Modified: 2023-07-08 00:44 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2023-07-05 05:28:33 UTC
Created attachment 17969 [details]
test case

This is an OSS-fuzz result that we let fall through to public disclosure.

The test case is not public, so we're treating it as semi-embargoed still.


 	UndefinedBehaviorSanitizer:DEADLYSIGNAL
	==18871==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x56c4c3c2e000 (pc 0x7d5d99099b41 bp 0x7ffea63b5920 sp 0x7ffea63b58d8 T18871)
	==18871==The signal is caused by a WRITE memory access.
	    #0 0x7d5d99099b41 in memset-vec-unaligned-erms.S:151 /build/glibc-SzIz7B/glibc-2.31/sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:151
	    #1 0x56c4c15d0852 in ndr_push_zero samba/librpc/ndr/ndr_basic.c:772:2
	    #2 0x56c4c157ddd2 in ndr_pull_compression_xpress_huff_raw_chunk samba/librpc/ndr/ndr_compression.c:734:2
	    #3 0x56c4c157ddd2 in ndr_pull_compression_start samba/librpc/ndr/ndr_compression.c:857:3
	    #4 0x56c4c156ebaa in ndr_pull_CLAIMS_SET_METADATA samba/bin/default/librpc/gen_ndr/ndr_claims.c:1149:6
	    #5 0x56c4c14e190b in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_claims_TYPE_STRUCT.c:276:13
	    #6 0x56c4c14228e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
	    #7 0x56c4c140e042 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
	    #8 0x56c4c14138ec in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
	    #9 0x56c4c143ce22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #10 0x7d5d98f32082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
	    #11 0x56c4c140420d in _start
Comment 1 Samba QA Contact 2023-07-07 01:15:04 UTC
This bug was referenced in samba master:

47b6696dcdfe7c5cb6e58ac6586ba45d39c39cc6
Comment 2 Douglas Bagnall 2023-07-08 00:44:06 UTC
Verified as fixed in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728#c4