New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fls crashes with double free or corruption on corrupt image. #905

Closed
adambuchbinder opened this Issue Aug 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@adambuchbinder
Contributor

adambuchbinder commented Aug 24, 2017

To reproduce:

$ unzip doublefree.zip
Archive:  doublefree.zip
  inflating: doublefree.img
$ fls doublefree.img
*** Error in `fls': double free or corruption (out): 0x00000000007c0c50 ***

This bug was found using american fuzzy lop and input files ultimately from files.fuzzing-project.org.

Backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff70f6c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff70f6c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff70fa028 in __GI_abort () at abort.c:89
#2  0x00007ffff71332a4 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff7245310 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff713f82e in malloc_printerr (ptr=<optimized out>, 
    str=0x7ffff7245440 "double free or corruption (out)", action=1)
    at malloc.c:4998
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0)
    at malloc.c:3842
#5  0x000000000051b92b in ext2fs_dinode_copy (ext2fs=ext2fs@entry=0x7bccf0, 
    fs_meta=0x7bfda0, inum=inum@entry=2, dino_buf=dino_buf@entry=0x7bff20)
    at ext2fs.c:802
#6  0x000000000051ca1e in ext2fs_inode_lookup (fs=0x7bccf0, 
    a_fs_file=0x7bcc80, inum=2) at ext2fs.c:911
#7  0x000000000042547d in tsk_fs_file_open_meta (a_fs=a_fs@entry=0x7bccf0, 
    a_fs_file=a_fs_file@entry=0x0, a_addr=a_addr@entry=2) at fs_file.c:128
#8  0x0000000000529e55 in ext2fs_dir_open_meta (a_fs=0x7bccf0, 
    a_fs_dir=0x7fffffffc470, a_addr=2) at ext2fs_dent.c:310
#9  0x000000000041c9a0 in tsk_fs_dir_open_meta (a_fs=<optimized out>, 
    a_addr=<optimized out>) at fs_dir.c:290
#10 0x000000000041ce01 in tsk_fs_dir_walk_lcl (a_fs=a_fs@entry=0x7bccf0, 
    a_dinfo=a_dinfo@entry=0x7fffffffc550, a_addr=a_addr@entry=2, 
    a_flags=a_flags@entry=(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC), a_action=a_action@entry=0x416a50 <print_dent_act>, 
    a_ptr=a_ptr@entry=0x7fffffffd9c0) at fs_dir.c:556
#11 0x000000000041f7a9 in tsk_fs_dir_walk (a_fs=0x7bccf0, a_addr=2, 
    a_flags=<optimized out>, a_action=0x416a50 <print_dent_act>, 
    a_ptr=0x7fffffffd9c0) at fs_dir.c:817
#12 0x0000000000421889 in tsk_fs_dir_walk (a_fs=<optimized out>, 
    a_addr=<optimized out>, a_flags=<optimized out>, 
    a_action=a_action@entry=0x416a50 <print_dent_act>, 
    a_ptr=a_ptr@entry=0x7fffffffd9c0) at fs_dir.c:841
#13 0x000000000041883e in tsk_fs_fls (fs=<optimized out>, 
    lclflags=<optimized out>, inode=<optimized out>, flags=<optimized out>, 
    tpre=<optimized out>, skew=<optimized out>) at fls_lib.c:262
#14 0x00000000004096ff in main (argc=<optimized out>, argv1=<optimized out>)
    at fls.cpp:308

Input: doublefree.zip

@bcarrier bcarrier closed this in b69c7c7 Aug 26, 2017

bcarrier added a commit that referenced this issue Aug 26, 2017

Merge pull request #908 from sleuthkit/ext2_buffer_905
fixes #905 by using correct counter to increment pointer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment