Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: user-after-free (UAF) and out-of-bounds read (OOB) in tsk_UTF16toUTF8 (tsk/base/tsk_unicode.c:159:14) #1264

Open
glen-mac opened this issue Jun 3, 2018 · 1 comment

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018

Hey there, I have discovered a one byte out-of-bounds read in the sleuth kit at: tsk_unicode.c:159:14

Found when fuzzing commit 4efa611.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in sleuth kit releases from 4.0.1 until the recent commit fuzzed 4efa611.

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ tools/fstools/fls -lrp crash.file
=================================================================
==3797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000019577 at pc 0x0000006d754e bp 0x7ffe2a703
1e0 sp 0x7ffe2a7031d8
READ of size 1 at 0x619000019577 thread T0
    #0 0x6d754d in tsk_UTF16toUTF8 /home/glenn/temp/sleuthkit/tsk/base/tsk_unicode.c:159:14
    #1 0x635502 in ntfs_proc_attrseq /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:1723:17
    #2 0x62ebb1 in ntfs_dinode_copy /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:2626:19
    #3 0x5fc4e4 in ntfs_inode_walk /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3937:17
    #4 0x67455b in ntfs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:1228:13
    #5 0x50110f in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:276:14
    #6 0x503942 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:551:19
    #7 0x50369c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:803:14
    #8 0x4faa72 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
    #9 0x4efaa0 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:303:9
    #10 0x7fee8bfa382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x419f38 in _start (/home/glenn/temp/sleuthkit/tools/fstools/fls+0x419f38)

0x619000019577 is located 247 bytes to the right of 1024-byte region [0x619000019080,0x619000019480)
allocated by thread T0 here:
    #0 0x4ba068 in __interceptor_malloc (/home/glenn/temp/sleuthkit/tools/fstools/fls+0x4ba068)
    #1 0x6d05b1 in tsk_malloc /home/glenn/temp/sleuthkit/tsk/base/mymalloc.c:32:16
    #2 0x5fc07a in ntfs_inode_walk /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3879:29
    #3 0x67455b in ntfs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:1228:13
    #4 0x50110f in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:276:14
    #5 0x503942 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:551:19
    #6 0x50369c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:803:14
    #7 0x4faa72 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
    #8 0x4efaa0 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:303:9
    #9 0x7fee8bfa382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/base/tsk_unicode.c:159:14 in tsk_UTF16toUTF8
Shadow bytes around the buggy address:
  0x0c327fffb250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffb260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffb270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffb280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffb290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffb2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x0c327fffb2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffb2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffb2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffb2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffb2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3797==ABORTING
@glen-mac glen-mac changed the title AddressSanitizer: out-of-bounds read (OOB) in tsk_UTF16toUTF8 (tsk/base/tsk_unicode.c:159:14) AddressSanitizer: user-after-free (UAF) and out-of-bounds read (OOB) in tsk_UTF16toUTF8 (tsk/base/tsk_unicode.c:159:14) Jun 4, 2018
@FIOpwK
Copy link

FIOpwK commented Jul 8, 2019

CVE-2018-11740 was assigned for this issue. (not requested by me)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants