You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of our fuzzing efforts at Google, we have identified an issue affecting
sleuthkit (tested with revision * develop ba8d376).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
And, back inside the container: /fuzzing/repro.sh /fuzzing/reproducer
Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
==20==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x000000546a80 bp 0x7fffd1b3f610 sp 0x7fffd1b3f608
READ of size 1 at 0x62100001c900 thread T0
#0 0x546a7f in hfs_find_highest_inum_cb /fuzzing/sleuthkit/tsk/fs/hfs.c:1731:28 #1 0x51a96c in hfs_cat_traverse /fuzzing/sleuthkit/tsk/fs/hfs.c:1082:21 #2 0x52fcb8 in hfs_find_highest_inum /fuzzing/sleuthkit/tsk/fs/hfs.c:1745:9 #3 0x521d49 in hfs_open /fuzzing/sleuthkit/tsk/fs/hfs.c:6534:21 #4 0x508e89 in main /fuzzing/sleuthkit/tools/fstools/fls.cpp:267:19 #5 0x7fd4355322b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x41d679 in _start (/fuzzing/sleuthkit/tools/fstools/fls+0x41d679)
0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
#0 0x4ccf98 in __interceptor_malloc (/fuzzing/sleuthkit/tools/fstools/fls+0x4ccf98) #1 0x5bb28e in tsk_malloc /fuzzing/sleuthkit/tsk/base/mymalloc.c:32:16 #2 0x519c43 in hfs_cat_traverse /fuzzing/sleuthkit/tsk/fs/hfs.c:848:26 #3 0x52fcb8 in hfs_find_highest_inum /fuzzing/sleuthkit/tsk/fs/hfs.c:1745:9 #4 0x521d49 in hfs_open /fuzzing/sleuthkit/tsk/fs/hfs.c:6534:21 #5 0x508e89 in main /fuzzing/sleuthkit/tools/fstools/fls.cpp:267:19 #6 0x7fd4355322b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/sleuthkit/tsk/fs/hfs.c:1731:28 in hfs_find_highest_inum_cb
Shadow bytes around the buggy address:
0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Hello sleuthkit team,
As part of our fuzzing efforts at Google, we have identified an issue affecting
sleuthkit (tested with revision * develop ba8d376).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/
TL;DR instructions:
mkdir projectcp Dockerfile /path/to/projectdocker build --no-cache /path/to/projectdocker run -it image_id_from_docker_buildFrom another terminal, outside the container:
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer(reference: https://docs.docker.com/engine/reference/commandline/cp/)
And, back inside the container:
/fuzzing/repro.sh /fuzzing/reproducerAlternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
REPRO_START:* develop ba8d376
==20==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x000000546a80 bp 0x7fffd1b3f610 sp 0x7fffd1b3f608
READ of size 1 at 0x62100001c900 thread T0
#0 0x546a7f in hfs_find_highest_inum_cb /fuzzing/sleuthkit/tsk/fs/hfs.c:1731:28
#1 0x51a96c in hfs_cat_traverse /fuzzing/sleuthkit/tsk/fs/hfs.c:1082:21
#2 0x52fcb8 in hfs_find_highest_inum /fuzzing/sleuthkit/tsk/fs/hfs.c:1745:9
#3 0x521d49 in hfs_open /fuzzing/sleuthkit/tsk/fs/hfs.c:6534:21
#4 0x508e89 in main /fuzzing/sleuthkit/tools/fstools/fls.cpp:267:19
#5 0x7fd4355322b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41d679 in _start (/fuzzing/sleuthkit/tools/fstools/fls+0x41d679)
0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
#0 0x4ccf98 in __interceptor_malloc (/fuzzing/sleuthkit/tools/fstools/fls+0x4ccf98)
#1 0x5bb28e in tsk_malloc /fuzzing/sleuthkit/tsk/base/mymalloc.c:32:16
#2 0x519c43 in hfs_cat_traverse /fuzzing/sleuthkit/tsk/fs/hfs.c:848:26
#3 0x52fcb8 in hfs_find_highest_inum /fuzzing/sleuthkit/tsk/fs/hfs.c:1745:9
#4 0x521d49 in hfs_open /fuzzing/sleuthkit/tsk/fs/hfs.c:6534:21
#5 0x508e89 in main /fuzzing/sleuthkit/tools/fstools/fls.cpp:267:19
#6 0x7fd4355322b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/sleuthkit/tsk/fs/hfs.c:1731:28 in hfs_find_highest_inum_cb
Shadow bytes around the buggy address:
0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team
artifacts_71626517.zip
The text was updated successfully, but these errors were encountered: