You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make
System information:
$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This bug was found to be in sleuth kit releases from 4.0.2 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
↳ tools/fstools/fls -lrp crash.file
=================================================================
==1043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a2f8 at pc 0x0000004f7824 bp 0x7ffd0f823520 sp 0x7ffd0f823518
READ of size 8 at 0x60200000a2f8 thread T0
#0 0x4f7823 in raw_read /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35
#1 0x6e75ae in tsk_img_read /home/glenn/temp/sleuthkit/tsk/img/img_io.c:89:22
#2 0x6f2635 in ext2fs_dinode_load /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:523:11
#3 0x73c512 in ext2fs_inode_lookup /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:891:9
#4 0x510498 in tsk_fs_file_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_file.c:128:9
#5 0x797cc2 in ext2fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ext2fs_dent.c:309:13
#6 0x5019cf in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:290:14
#7 0x503a02 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:556:19
#8 0x50375c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:817:14
#9 0x4fb072 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
#10 0x4efba8 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:307:9
#11 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)
0x60200000a2f8 is located 0 bytes to the right of 8-byte region [0x60200000a2f0,0x60200000a2f8)
allocated by thread T0 here:
#0 0x4ba138 in __interceptor_malloc (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x4ba138)
#1 0x6dea51 in tsk_malloc /home/glenn/temp/sleuthkit/tsk/base/mymalloc.c:32:16
#2 0x4f40e1 in raw_open /home/glenn/temp/sleuthkit/tsk/img/raw.c:703:23
#3 0x4f219f in tsk_img_open /home/glenn/temp/sleuthkit/tsk/img/img_open.c:222:25
#4 0x4ef402 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:256:17
#5 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35 in raw_read
Shadow bytes around the buggy address:
0x0c047fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
0x0c047fff9460: fa fa 04 fa fa fa 00 fa fa fa 00 04 fa fa 00 04
0x0c047fff9470: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9480: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9490: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff94a0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1043==ABORTING
The text was updated successfully, but these errors were encountered:
Hey there, I have discovered an out-of-bounds read in the sleuth kit at: raw.c:291:35
Found when fuzzing commit 4efa611.
Compile flags to reproduce:
System information:
This bug was found to be in sleuth kit releases from 4.0.2 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
The text was updated successfully, but these errors were encountered: