Bug 15613 - ndr_pull_security_ace can leave resource attribute ACE coda claim struct undefined
Summary: ndr_pull_security_ace can leave resource attribute ACE coda claim struct unde...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-23 00:56 UTC by Douglas Bagnall
Modified: 2024-03-27 17:13 UTC (History)
2 users (show)

See Also:


Attachments
a patch, perhaps in the wrong place, but it works (2.49 KB, patch)
2024-03-23 00:56 UTC, Douglas Bagnall
no flags Details
Patch for master backported to Samba 4.20 (v1) (2.74 KB, patch)
2024-03-25 06:29 UTC, Andrew Bartlett
dbagnall: review+
abartlet: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2024-03-23 00:56:41 UTC
Created attachment 18272 [details]
a patch, perhaps in the wrong place, but it works

We forget that an ACE with zero coda could be a resource attribute ACE, and initialise only the ignored blob. The correct thing to do would probably be to fail.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577

This arose from the manual parsing that Andrew correctly grumbled about in https://gitlab.com/samba-team/samba/-/merge_requests/3489 but as that MR itself closed a couple of OSS-Fuzz issues, I suspect the underlying bug is in the (manual) ndr_subcontext_size_of_ace_coda() helper function that both versions rely on. 

    #0 0x56335e0cc68d in ndr_push_CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 samba/bin/default/librpc/gen_ndr/ndr_security.c:798:4
    #1 0x56335e0dab63 in ndr_push_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1083:5
    #2 0x56335e143090 in ndr_size_union samba/librpc/ndr/ndr.c:1584:11
    #3 0x56335e0dde9e in ndr_size_security_ace_coda samba/bin/default/librpc/gen_ndr/ndr_security.c:1325:9
    #4 0x56335e0f6dc4 in ndr_size_security_ace samba/librpc/ndr/ndr_sec_helper.c:65:10
    #5 0x56335e0f9cb0 in ndr_size_security_acl samba/librpc/ndr/ndr_sec_helper.c:218:10
    #6 0x56335e0f9f9c in ndr_size_security_descriptor samba/librpc/ndr/ndr_sec_helper.c:234:9
    #7 0x56335e0e7906 in ndr_push_sec_desc_buf samba/bin/default/librpc/gen_ndr/ndr_security.c:1718:3
    #8 0x56335df865a8 in ndr_push_samr_QuerySecurity samba/bin/default/librpc/gen_ndr/ndr_samr.c:6366:4
    #9 0x56335dcb3d08 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_samr_TYPE_OUT.c:305:13
Comment 1 Douglas Bagnall 2024-03-24 22:15:50 UTC
There are many related oss-fuzz issues that manifest as print timeouts:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67619
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67603
etc
Comment 2 Samba QA Contact 2024-03-25 06:01:03 UTC
This bug was referenced in samba master:

6fb98f70c6274e172787c8d5f73aa93920171e7c
Comment 3 Andrew Bartlett 2024-03-25 06:29:43 UTC
Created attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)
Comment 4 Andrew Bartlett 2024-03-25 06:30:37 UTC
Comment on attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)

https://gitlab.com/samba-team/devel/samba/-/pipelines/1225949080
Comment 5 Andrew Bartlett 2024-03-25 08:46:17 UTC
Comment on attachment 18275 [details]
Patch for master backported to Samba 4.20 (v1)

Marking as CI passed.  Only failure is a deadtime test in the nt4-dc env, which isn't running this code (so any tests missed also won't be touching this code).
Comment 6 Douglas Bagnall 2024-03-25 09:19:12 UTC
For 4.20.
Comment 7 Jule Anger 2024-03-26 10:17:39 UTC
Pushed to autobuild-v4-20-test.
Comment 8 Samba QA Contact 2024-03-26 11:18:05 UTC
This bug was referenced in samba v4-20-test:

3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8
Comment 9 Jule Anger 2024-03-26 11:48:17 UTC
Closing out bug report.

Thanks!
Comment 10 Samba QA Contact 2024-03-27 17:13:57 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.0):

3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8