You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The attached file will cause a heap overflow in the function read_fat (it's zip-packed, because github only allows certain file types).
This was found via fuzzing with american fuzzy lop and address sanitizer.
Address Sanitizer error message / stack trace:
==2804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000be78 at pc 0x00000049e22f bp 0x7ffde1e2f3b0 sp 0x7ffde1e2eb60
WRITE of size 21474836600 at 0x60c00000be78 thread T0
#0 0x49e22e in __asan_memset (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e)
#1 0x4f4971 in read_fat /mnt/ram/dosfstools/src/fat.c:160:5
#2 0x4e018c in main /mnt/ram/dosfstools/src/fsck.fat.c:187:12
#3 0x7f5e7c77562f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#4 0x4181e8 in _start (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4181e8)
0x60c00000be78 is located 0 bytes to the right of 120-byte region [0x60c00000be00,0x60c00000be78)
allocated by thread T0 here:
#0 0x4b3888 in __interceptor_malloc (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4b3888)
#1 0x4f332c in alloc /mnt/ram/dosfstools/src/common.c:66:17
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e) in __asan_memset
Shadow bytes around the buggy address:
0x0c187fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
[dosfstools-heapoverflow-read_fat.zip](https://github.com/dosfstools/dosfstools/files/215455/dosfstools-heapoverflow-read_fat.zip)
The text was updated successfully, but these errors were encountered:
Found the cause, it's a failure to properly catch a zero length FAT in read_fat() and continuing with that and the other corrupt values. Will add a few more checks to prevent that and related problematic values from going through.
The attached file will cause a heap overflow in the function read_fat (it's zip-packed, because github only allows certain file types).
This was found via fuzzing with american fuzzy lop and address sanitizer.
Address Sanitizer error message / stack trace:
The text was updated successfully, but these errors were encountered: