CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make
System information:
$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This bug was found to be in sleuth kit releases from 4.0.1 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here
The full ASAN report is shown below:
↳ tools/fstools/fls -lrp crash.file
=================================================================
==26676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000270b8 at pc 0x0000006620e8 bp 0x7fff9bbf5fe0 sp 0x7fff9bbf5fd8
READ of size 1 at 0x6190000270b8 thread T0
#0 0x6620e7 in ntfs_make_data_run /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:591:12
#1 0x5f6a3b in ntfs_load_bmap /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:3062:10
#2 0x5f6a3b in ntfs_open /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:5200
#3 0x51f81b in tsk_fs_open_img /home/glenn/temp/sleuthkit/tsk/fs/fs_open.c:124:28
#4 0x4ef892 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:267:19
#5 0x7fe550ee682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/fs/ntfs.c:591:12 in ntfs_make_data_run
Shadow bytes around the buggy address:
0x0c327fffcdc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffcdd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffcde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffcdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffce10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x0c327fffce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffce30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffce40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffce50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fffce60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26676==ABORTING
The text was updated successfully, but these errors were encountered:
Hey there, I have discovered an out-of-bounds read in the sleuth kit at: ntfs.c:591:12
Found when fuzzing commit 4efa611.
Compile flags to reproduce:
System information:
This bug was found to be in sleuth kit releases from 4.0.1 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here
The full ASAN report is shown below:
The text was updated successfully, but these errors were encountered: