Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in exfatfsck in verify_vbr_checksum() #5

Closed
hannob opened this issue Sep 9, 2015 · 5 comments

Comments

Projects
None yet
2 participants
@hannob
Copy link

commented Sep 9, 2015

This input file can trigger a heap overflow in exfatfsck:
https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum

This was found while fuzzing with the tool american fuzzy lop.

Here is the stack trace from address sanitizer:

==7351==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x00000044390b bp 0x7ffdeb0bf9d0 sp 0x7ffdeb0bf188
WRITE of size 110 at 0x60200000ef91 thread T0
    #0 0x44390a in __interceptor_pread64 (/mnt/ram/exfat/exfatfsck.asan+0x44390a)
    #1 0x4e89f5 in verify_vbr_checksum /f/exfat-utils-1.1.1/libexfat/mount.c:107:6
    #2 0x4e89f5 in exfat_mount /f/exfat-utils-1.1.1/libexfat/mount.c:220
    #3 0x4dd537 in main /f/exfat-utils-1.1.1/fsck/main.c:163:6
    #4 0x7f403c332f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #5 0x437006 in _start (/mnt/ram/exfat/exfatfsck.asan+0x437006)

0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
    #0 0x4bdfd2 in __interceptor_malloc (/mnt/ram/exfat/exfatfsck.asan+0x4bdfd2)
    #1 0x4e8959 in exfat_mount /f/exfat-utils-1.1.1/libexfat/mount.c:211:21

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_pread64
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa[01]fa fa fa 00 00 fa fa 00 07 fa fa fd fd
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7351==ABORTING
@relan

This comment has been minimized.

Copy link
Owner

commented Sep 9, 2015

Fixed this in 2e86ae5. Thanks for reporting!

@hannob

This comment has been minimized.

Copy link
Author

commented Sep 9, 2015

Hi, I think this is not fully fixed. Just tested (same input file), it changes the error message, so I think there is another very similar issue at a later point in the code:

==28731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x0000004436eb bp 0x7ffec646b750 sp 0x7ffec646af08
WRITE of size 110 at 0x60200000ef91 thread T0
    #0 0x4436ea in pread (/mnt/ram/exfat/exfatfsck+0x4436ea)
    #1 0x4e4db6 in exfat_pread /f/exfat/exfat/libexfat/io.c:335:9
    #2 0x4e9089 in verify_vbr_checksum /f/exfat/exfat/libexfat/mount.c:105:6
    #3 0x4e9089 in exfat_mount /f/exfat/exfat/libexfat/mount.c:218
    #4 0x4dd675 in main /f/exfat/exfat/fsck/main.c:161:6
    #5 0x7fe2b8c50f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #6 0x437136 in _start (/mnt/ram/exfat/exfatfsck+0x437136)

0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
    #0 0x4be102 in __interceptor_malloc (/mnt/ram/exfat/exfatfsck+0x4be102)
    #1 0x4e8fed in exfat_mount /f/exfat/exfat/libexfat/mount.c:209:21

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 pread
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa[01]fa fa fa 00 00 fa fa 00 07 fa fa fd fd
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28731==ABORTING
@relan

This comment has been minimized.

Copy link
Owner

commented Sep 9, 2015

I think this is not fully fixed. Just tested (same input file), it changes the error message, so I think there is another very similar issue at a later point in the code

As far as I can see the error message is the same: AddressSanitizer: heap-buffer-overflow. The verify_vbr_checksum() function will not be called on this sample file after 2e86ae5. Are you sure that you use the issue5 branch for testing? The fix lives only there for now.

@hannob

This comment has been minimized.

Copy link
Author

commented Sep 9, 2015

Sorry for the noise, you're right. I just took the latest git master code and didn't notice that this was a branch. Fix seems to work.

@relan

This comment has been minimized.

Copy link
Owner

commented Sep 9, 2015

Great! Thanks for testing. I'll close this issue after I make a release.

@relan relan changed the title out of bounds write / heap overflow in exfatfsck in function verify_vbr_checksum() Heap buffer overflow in exfatfsck in verify_vbr_checksum() Sep 10, 2015

@relan relan added the bug label Sep 10, 2015

@relan relan closed this Sep 24, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.