CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make
System information:
$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This bug was found to be in sleuth kit releases from 4.0.1 until the recent commit fuzzed 4efa611.
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
↳ tools/fstools/fls -lrp crash.file
=================================================================
==3797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000019577 at pc 0x0000006d754e bp 0x7ffe2a703
1e0 sp 0x7ffe2a7031d8
READ of size 1 at 0x619000019577 thread T0
#0 0x6d754d in tsk_UTF16toUTF8 /home/glenn/temp/sleuthkit/tsk/base/tsk_unicode.c:159:14
#1 0x635502 in ntfs_proc_attrseq /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:1723:17
#2 0x62ebb1 in ntfs_dinode_copy /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:2626:19
#3 0x5fc4e4 in ntfs_inode_walk /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3937:17
#4 0x67455b in ntfs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:1228:13
#5 0x50110f in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:276:14
#6 0x503942 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:551:19
#7 0x50369c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:803:14
#8 0x4faa72 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
#9 0x4efaa0 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:303:9
#10 0x7fee8bfa382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x419f38 in _start (/home/glenn/temp/sleuthkit/tools/fstools/fls+0x419f38)
0x619000019577 is located 247 bytes to the right of 1024-byte region [0x619000019080,0x619000019480)
allocated by thread T0 here:
#0 0x4ba068 in __interceptor_malloc (/home/glenn/temp/sleuthkit/tools/fstools/fls+0x4ba068)
#1 0x6d05b1 in tsk_malloc /home/glenn/temp/sleuthkit/tsk/base/mymalloc.c:32:16
#2 0x5fc07a in ntfs_inode_walk /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3879:29
#3 0x67455b in ntfs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:1228:13
#4 0x50110f in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:276:14
#5 0x503942 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:551:19
#6 0x50369c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:803:14
#7 0x4faa72 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
#8 0x4efaa0 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:303:9
#9 0x7fee8bfa382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/base/tsk_unicode.c:159:14 in tsk_UTF16toUTF8
Shadow bytes around the buggy address:
0x0c327fffb250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fffb260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fffb270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fffb280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fffb290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffb2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c327fffb2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffb2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffb2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffb2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fffb2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3797==ABORTING
The text was updated successfully, but these errors were encountered:
glen-mac
changed the title
AddressSanitizer: out-of-bounds read (OOB) in tsk_UTF16toUTF8 (tsk/base/tsk_unicode.c:159:14)
AddressSanitizer: user-after-free (UAF) and out-of-bounds read (OOB) in tsk_UTF16toUTF8 (tsk/base/tsk_unicode.c:159:14)
Jun 4, 2018
Hey there, I have discovered a one byte out-of-bounds read in the sleuth kit at: tsk_unicode.c:159:14
Found when fuzzing commit 4efa611.
Compile flags to reproduce:
System information:
This bug was found to be in sleuth kit releases from 4.0.1 until the recent commit fuzzed 4efa611.
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
The text was updated successfully, but these errors were encountered: