Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: out-of-bounds unmapped memory access in ntfs_fix_idxrec (tsk/fs/ntfs_dent.cpp:680:16) #1266

Open
glen-mac opened this issue Jun 3, 2018 · 1 comment

Comments

@glen-mac
Copy link

glen-mac commented Jun 3, 2018

Hey there, I have discovered an unmapped memory access in the sleuth kit at: ntfs_dent.cpp:680:16

Found when fuzzing commit 4efa611.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in sleuth kit releases from 4.0.1 up until and including the latest release 4.6.1

You can find a POC that triggers the bug here.

The full ASAN report is shown below:

↳ tools/fstools/fls -lrp crash.file
=================================================================
==7493==ERROR: AddressSanitizer: SEGV on unknown address 0x621000024d28 (pc 0x000000691ae9 bp 0x7ffd4abaa8b0 sp 0x7
ffd4abaa7e0 T0)
    #0 0x691ae8 in ntfs_fix_idxrec(NTFS_INFO*, ntfs_idxrec*, unsigned int) /home/glenn/temp/sleuthkit/tsk/fs/ntfs_d
ent.cpp:680:16
    #1 0x680008 in ntfs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:1167:17
    #2 0x5019cf in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:290:14
    #3 0x503a02 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:556:19
    #4 0x50375c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:817:14
    #5 0x4fb072 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
    #6 0x4efba8 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:307:9
    #7 0x7f91cec5e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/glenn/temp/sleuthkit/tsk/fs/ntfs_dent.cpp:680:16 in ntfs_fix_idxrec(NTFS_INFO
*, ntfs_idxrec*, unsigned int)
==7493==ABORTING
@FIOpwK
Copy link

FIOpwK commented Jul 8, 2019

CVE-2018-11737 was assigned to this issue (not requested by me)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants