Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: out-of-bounds read (OOB) in ntfs_make_data_run (tsk/fs/ntfs.c:591:12) #1265

Open
glen-mac opened this issue Jun 3, 2018 · 1 comment

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018

Hey there, I have discovered an out-of-bounds read in the sleuth kit at: ntfs.c:591:12

Found when fuzzing commit 4efa611.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in sleuth kit releases from 4.0.1 up until and including the latest release 4.6.1

You can find a collection of PoC files that trigger the bug here

The full ASAN report is shown below:

↳ tools/fstools/fls -lrp crash.file
=================================================================
==26676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000270b8 at pc 0x0000006620e8 bp 0x7fff9bbf5fe0 sp 0x7fff9bbf5fd8
READ of size 1 at 0x6190000270b8 thread T0
    #0 0x6620e7 in ntfs_make_data_run /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:591:12
    #1 0x5f6a3b in ntfs_load_bmap /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3062:10
    #2 0x5f6a3b in ntfs_open /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:5200
    #3 0x51f81b in tsk_fs_open_img /home/glenn/temp/sleuthkit/tsk/fs/fs_open.c:124:28
    #4 0x4ef892 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:267:19
    #5 0x7fe550ee682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:591:12 in ntfs_make_data_run
Shadow bytes around the buggy address:
  0x0c327fffcdc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffcdd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffcde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffcdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffce10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c327fffce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffce40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffce50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffce60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26676==ABORTING
@FIOpwK
Copy link

FIOpwK commented Jul 8, 2019

CVE-2018-11738 was assigned to this issue (not requested by me)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants