Skip to content

Heap overflow in function read_fat() #25

Closed
@hannob

Description

@hannob

The attached file will cause a heap overflow in the function read_fat (it's zip-packed, because github only allows certain file types).
This was found via fuzzing with american fuzzy lop and address sanitizer.

Address Sanitizer error message / stack trace:

==2804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000be78 at pc 0x00000049e22f bp 0x7ffde1e2f3b0 sp 0x7ffde1e2eb60
WRITE of size 21474836600 at 0x60c00000be78 thread T0
    #0 0x49e22e in __asan_memset (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e)
    #1 0x4f4971 in read_fat /mnt/ram/dosfstools/src/fat.c:160:5
    #2 0x4e018c in main /mnt/ram/dosfstools/src/fsck.fat.c:187:12
    #3 0x7f5e7c77562f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x4181e8 in _start (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4181e8)

0x60c00000be78 is located 0 bytes to the right of 120-byte region [0x60c00000be00,0x60c00000be78)
allocated by thread T0 here:
    #0 0x4b3888 in __interceptor_malloc (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4b3888)
    #1 0x4f332c in alloc /mnt/ram/dosfstools/src/common.c:66:17

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e) in __asan_memset
Shadow bytes around the buggy address:
  0x0c187fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff97e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
[dosfstools-heapoverflow-read_fat.zip](https://github.com/dosfstools/dosfstools/files/215455/dosfstools-heapoverflow-read_fat.zip)

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions