Bug 15613 - ndr_pull_security_ace can leave resource attribute ACE coda claim struct undefined
Summary: ndr_pull_security_ace can leave resource attribute ACE coda claim struct unde...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-23 00:56 UTC by Douglas Bagnall
Modified: 2024-03-27 17:13 UTC (History)
2 users (show)

See Also:

Attachments
a patch, perhaps in the wrong place, but it works (2.49 KB, patch)
2024-03-23 00:56 UTC, Douglas Bagnall 		no flags Details
Patch for master backported to Samba 4.20 (v1) (2.74 KB, patch)
2024-03-25 06:29 UTC, Andrew Bartlett 		dbagnall: review+
abartlet: ci-passed+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2024-03-23 00:56:41 UTC 
Created attachment 18272 [details]
a patch, perhaps in the wrong place, but it works

We forget that an ACE with zero coda could be a resource attribute ACE, and initialise only the ignored blob. The correct thing to do would probably be to fail.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577

This arose from the manual parsing that Andrew correctly grumbled about in https://gitlab.com/samba-team/samba/-/merge_requests/3489 but as that MR itself closed a couple of OSS-Fuzz issues, I suspect the underlying bug is in the (manual) ndr_subcontext_size_of_ace_coda() helper function that both versions rely on. 

    #0 0x56335e0cc68d in ndr_push_CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 samba/bin/default/librpc/gen_ndr/ndr_security.c:798:4
    #1 0x56335e0dab63 in ndr_push_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1083:5
    #2 0x56335e143090 in ndr_size_union samba/librpc/ndr/ndr.c:1584:11
    #3 0x56335e0dde9e in ndr_size_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1325:9
    #4 0x56335e0f6dc4 in ndr_size_security_ace samba/librpc/ndr/ndr_sec_helper.c:65:10
    #5 0x56335e0f9cb0 in ndr_size_security_acl samba/librpc/ndr/ndr_sec_helper.c:218:10
    #6 0x56335e0f9f9c in ndr_size_security_descriptor samba/librpc/ndr/ndr_sec_helper.c:234:9
    #7 0x56335e0e7906 in ndr_push_sec_desc_buf samba/bin/default/librpc/gen_ndr/ndr_security.c:1718:3
    #8 0x56335df865a8 in ndr_push_samr_QuerySecurity samba/bin/default/librpc/gen_ndr/ndr_samr.c:6366:4
    #9 0x56335dcb3d08 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_samr_TYPE_OUT.c:305:13
Comment 1 Douglas Bagnall 2024-03-24 22:15:50 UTC 
There are many related oss-fuzz issues that manifest as print timeouts:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67619
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67603
etc
Comment 2 Samba QA Contact 2024-03-25 06:01:03 UTC 
This bug was referenced in samba master:

6fb98f70c6274e172787c8d5f73aa93920171e7c
Comment 3 Andrew Bartlett 2024-03-25 06:29:43 UTC 
Created attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)
Comment 4 Andrew Bartlett 2024-03-25 06:30:37 UTC 
Comment on attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)

https://gitlab.com/samba-team/devel/samba/-/pipelines/1225949080
Comment 5 Andrew Bartlett 2024-03-25 08:46:17 UTC 
Comment on attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)

Marking as CI passed.  Only failure is a deadtime test in the nt4-dc env, which isn't running this code (so any tests missed also won't be touching this code).
Comment 6 Douglas Bagnall 2024-03-25 09:19:12 UTC 
For 4.20.
Comment 7 Jule Anger 2024-03-26 10:17:39 UTC 
Pushed to autobuild-v4-20-test.
Comment 8 Samba QA Contact 2024-03-26 11:18:05 UTC 
This bug was referenced in samba v4-20-test:

3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8
Comment 9 Jule Anger 2024-03-26 11:48:17 UTC 
Closing out bug report.

Thanks!
Comment 10 Samba QA Contact 2024-03-27 17:13:57 UTC 
This bug was referenced in samba v4-20-stable (Release samba-4.20.0):

3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8