CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make
System information:
$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This bug was found to be in sleuth kit releases from 4.0.2 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
↳ tools/fstools/fls -lrp crash.file
=================================================================
==1043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a2f8 at pc 0x0000004f7824 bp 0x7ffd0f823520 sp 0x7ffd0f823518
READ of size 8 at 0x60200000a2f8 thread T0
#0 0x4f7823 in raw_read /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35
#1 0x6e75ae in tsk_img_read /home/glenn/temp/sleuthkit/tsk/img/img_io.c:89:22
#2 0x6f2635 in ext2fs_dinode_load /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:523:11
#3 0x73c512 in ext2fs_inode_lookup /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:891:9
#4 0x510498 in tsk_fs_file_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_file.c:128:9
#5 0x797cc2 in ext2fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ext2fs_dent.c:309:13
#6 0x5019cf in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:290:14
#7 0x503a02 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:556:19
#8 0x50375c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:817:14
#9 0x4fb072 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
#10 0x4efba8 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:307:9
#11 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)
0x60200000a2f8 is located 0 bytes to the right of 8-byte region [0x60200000a2f0,0x60200000a2f8)
allocated by thread T0 here:
#0 0x4ba138 in __interceptor_malloc (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x4ba138)
#1 0x6dea51 in tsk_malloc /home/glenn/temp/sleuthkit/tsk/base/mymalloc.c:32:16
#2 0x4f40e1 in raw_open /home/glenn/temp/sleuthkit/tsk/img/raw.c:703:23
#3 0x4f219f in tsk_img_open /home/glenn/temp/sleuthkit/tsk/img/img_open.c:222:25
#4 0x4ef402 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:256:17
#5 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35 in raw_read
Shadow bytes around the buggy address:
0x0c047fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
0x0c047fff9460: fa fa 04 fa fa fa 00 fa fa fa 00 04 fa fa 00 04
0x0c047fff9470: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9480: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff9490: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff94a0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1043==ABORTING
The text was updated successfully, but these errors were encountered:
Hey there, I have discovered an out-of-bounds read in the sleuth kit at: raw.c:291:35
Found when fuzzing commit 4efa611.
Compile flags to reproduce:
System information:
This bug was found to be in sleuth kit releases from 4.0.2 up until and including the latest release 4.6.1
You can find a collection of PoC files that trigger the bug here.
The full ASAN report is shown below:
The text was updated successfully, but these errors were encountered: