Closed
Description
The attached file will cause a heap overflow in the function read_fat (it's zip-packed, because github only allows certain file types).
This was found via fuzzing with american fuzzy lop and address sanitizer.
Address Sanitizer error message / stack trace:
==2804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000be78 at pc 0x00000049e22f bp 0x7ffde1e2f3b0 sp 0x7ffde1e2eb60
WRITE of size 21474836600 at 0x60c00000be78 thread T0
#0 0x49e22e in __asan_memset (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e)
#1 0x4f4971 in read_fat /mnt/ram/dosfstools/src/fat.c:160:5
#2 0x4e018c in main /mnt/ram/dosfstools/src/fsck.fat.c:187:12
#3 0x7f5e7c77562f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#4 0x4181e8 in _start (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4181e8)
0x60c00000be78 is located 0 bytes to the right of 120-byte region [0x60c00000be00,0x60c00000be78)
allocated by thread T0 here:
#0 0x4b3888 in __interceptor_malloc (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x4b3888)
#1 0x4f332c in alloc /mnt/ram/dosfstools/src/common.c:66:17
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hanno/Desktop/dosfstools/src/fsck.fat+0x49e22e) in __asan_memset
Shadow bytes around the buggy address:
0x0c187fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
[dosfstools-heapoverflow-read_fat.zip](https://github.com/dosfstools/dosfstools/files/215455/dosfstools-heapoverflow-read_fat.zip)
Metadata
Metadata
Assignees
Labels
No labels