AddressSanitizer: out-of-bounds read (OOB) in raw_read (tsk/img/raw.c:291:35)

[glen-mac]

Hey there, I have discovered an out-of-bounds read in the sleuth kit at: raw.c:291:35

Found when fuzzing commit 4efa611.

Compile flags to reproduce:

CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make

System information:

$ uname -a
Linux s127422 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This bug was found to be in sleuth kit releases from 4.0.2 up until and including the latest release 4.6.1

You can find a collection of PoC files that trigger the bug here.

The full ASAN report is shown below:

↳ tools/fstools/fls -lrp crash.file
=================================================================
==1043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a2f8 at pc 0x0000004f7824 bp 0x7ffd0f823520 sp 0x7ffd0f823518
READ of size 8 at 0x60200000a2f8 thread T0
    #0 0x4f7823 in raw_read /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35
    #1 0x6e75ae in tsk_img_read /home/glenn/temp/sleuthkit/tsk/img/img_io.c:89:22
    #2 0x6f2635 in ext2fs_dinode_load /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:523:11
    #3 0x73c512 in ext2fs_inode_lookup /home/glenn/temp/sleuthkit/tsk/fs/ext2fs.c:891:9
    #4 0x510498 in tsk_fs_file_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_file.c:128:9
    #5 0x797cc2 in ext2fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/ext2fs_dent.c:309:13
    #6 0x5019cf in tsk_fs_dir_open_meta /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:290:14
    #7 0x503a02 in tsk_fs_dir_walk_lcl /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:556:19
    #8 0x50375c in tsk_fs_dir_walk /home/glenn/temp/sleuthkit/tsk/fs/fs_dir.c:817:14
    #9 0x4fb072 in tsk_fs_fls /home/glenn/temp/sleuthkit/tsk/fs/fls_lib.c:262:12
    #10 0x4efba8 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:307:9
    #11 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x41a008 in _start (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x41a008)

0x60200000a2f8 is located 0 bytes to the right of 8-byte region [0x60200000a2f0,0x60200000a2f8)
allocated by thread T0 here:
    #0 0x4ba138 in __interceptor_malloc (/home/glenn/temp/sleuthkit/results-binaries/fls-sleuthkit-4.6.1+0x4ba138)
    #1 0x6dea51 in tsk_malloc /home/glenn/temp/sleuthkit/tsk/base/mymalloc.c:32:16
    #2 0x4f40e1 in raw_open /home/glenn/temp/sleuthkit/tsk/img/raw.c:703:23
    #3 0x4f219f in tsk_img_open /home/glenn/temp/sleuthkit/tsk/img/img_open.c:222:25
    #4 0x4ef402 in main /home/glenn/temp/sleuthkit/tools/fstools/fls.cpp:256:17
    #5 0x7f88a0d0082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/glenn/temp/sleuthkit/tsk/img/raw.c:291:35 in raw_read
Shadow bytes around the buggy address:
  0x0c047fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
  0x0c047fff9460: fa fa 04 fa fa fa 00 fa fa fa 00 04 fa fa 00 04
  0x0c047fff9470: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9480: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9490: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff94a0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1043==ABORTING

[FIOpwK]

CVE-2018-11739 was assigned to this issue (not requested by me)