【fuzz】sleuthkit --sanitizer address heap-buffer-overflow on address

【标题描述】sleuthkit --sanitizer address heap-buffer-overflow on address
【环境信息】
硬件信息：
x86
【测试版本】
Name: sleuthkit
Version: 4.6.7

【注意事项】
受影响版本排查（受影响/不受影响）
1、master
2、openEuler-20.03-LTS-SP3
3、openEuler-20.03-LTS-SP1
4、openEuler-20.03-LTS-SP2
5、openEuler-20.03-LTS
6、openEuler-21.03
7、openEuler-20.03-LTS-Next
8、openEuler-21.09
9、openEuler-22.03-LTS
10、openEuler-22.03-LTS-Next
11、openEuler-20.09
12、wzs
13、openEuler-22.09

一、【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address sleuthkit
2、执行
python3 infra/helper.py run_fuzzer sleuthkit sleuthkit_fls_ntfs_fuzzer
【报错信息】

==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000002800 at pc 0x00000060fe3f bp 0x7fff516bbcf0 sp 0x7fff516bbce8
READ of size 1 at 0x615000002800 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x60fe3e in tsk_UTF16toUTF8 /src/sleuthkit/tsk/base/tsk_unicode.c:159:14
    #1 0x5c7957 in ntfs_proc_attrseq /src/sleuthkit/tsk/fs/ntfs.c:2256:17
    #2 0x5c1c2f in ntfs_dinode_copy /src/sleuthkit/tsk/fs/ntfs.c:2752:19
    #3 0x5af0b2 in ntfs_inode_lookup /src/sleuthkit/tsk/fs/ntfs.c:2853:9
    #4 0x5586cb in tsk_fs_file_open_meta /src/sleuthkit/tsk/fs/fs_file.c:128:9
    #5 0x5abf38 in ntfs_open /src/sleuthkit/tsk/fs/ntfs.c:5172:13
    #6 0x55e25b in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:160:16
    #7 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #8 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #9 0x458105 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #10 0x45a1d7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #11 0x45ac55 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #12 0x449c2e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #13 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #14 0x7fceb032182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x41e338 in _start (/out/sleuthkit_fls_ntfs_fuzzer+0x41e338)

0x615000002800 is located 0 bytes to the right of 512-byte region [0x615000002600,0x615000002800)
allocated by thread T0 here:
    #0 0x51e07d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x60b099 in tsk_malloc /src/sleuthkit/tsk/base/mymalloc.c:32:16
    #2 0x5af04d in ntfs_inode_lookup /src/sleuthkit/tsk/fs/ntfs.c:2842:25
    #3 0x5586cb in tsk_fs_file_open_meta /src/sleuthkit/tsk/fs/fs_file.c:128:9
    #4 0x5abf38 in ntfs_open /src/sleuthkit/tsk/fs/ntfs.c:5172:13
    #5 0x55e25b in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:160:16
    #6 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #7 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #8 0x458105 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #9 0x45a1d7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #10 0x45ac55 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #11 0x449c2e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #12 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #13 0x7fceb032182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/sleuthkit/tsk/base/tsk_unicode.c:159:14 in tsk_UTF16toUTF8
Shadow bytes around the buggy address:
  0x0c2a7fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8500:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11==ABORTING
MS: 2 ChangeBit-ChangeBit-; base unit: 44fa3011c3bdf2c8c4de18ac7d192cc3856bf741
artifact_prefix='./'; Test unit written to ./crash-c9ae971ecba12901b7d694df847b122c39366375

【预期结果】
运行无异常
【实际结果】
提示AddressSanitizer: heap-buffer-overflow
【复现步骤】
python3 infra/helper.py reproduce sleuthkit sleuthkit_fls_ntfs_fuzzer crash-c9ae971ecba12901b7d694df847b122c39366375

Hi ryuo, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Others, and any of the maintainers: @jimmy_hero , @small_leek , @mdche

    // tsk_UTF16toUTF8 /src/sleuthkit/tsk/base/tsk_unicode.c
    const UTF16 *source = *sourceStart;
    UTF8 *target = *targetStart;
    while (source < sourceEnd) {
        UTF32 ch;
        unsigned short bytesToWrite = 0;
        const UTF32 byteMask = 0xBF;
        const UTF32 byteMark = 0x80;
        const UTF16 *oldSource = source;        /* In case we have to back up because of target overflow. */
        ch = tsk_getu16(endian, (uint8_t *) source);
        source++;

        /* If we have a surrogate pair, convert to UTF32 first. */
        if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_HIGH_END) {

            // ntfs_proc_attrseq /src/sleuthkit/tsk/fs/ntfs.c
            name16 = (UTF16 *) & fname->name;
            name8 = (UTF8 *) fs_name->name;
            retVal =
                tsk_UTF16toUTF8(fs->endian, (const UTF16 **) &name16,
                (UTF16 *) ((uintptr_t) name16 +
                    fname->nlen * 2),
                &name8,
                (UTF8 *) ((uintptr_t) name8 +
                    sizeof(fs_name->name)), TSKlenientConversion);
            if (retVal != TSKconversionOK) {

tsk_UTF16toUTF8函数中循环对source指向的内存块进行访问，直到source大于等于sourceEnd退出循环；在tsk_UTF16toUTF8的上层调用中，sourceEnd被赋值为(UTF16 *) ((uintptr_t) name16 + fname->nlen * 2)，sourceEnd原意应是source指向内存块的结尾地址，但是实际赋值sourceEnd大于source指向内存块的结尾地址，在tsk_UTF16toUTF8函数中，对source指向的内存块进行访问，就会出现内存访问越界的情况。

输入图片说明

src-openEuler / sleuthkit

内容风险标识

评论 (3)

src-openEuler / sleuthkit .gitee-modal { width: 500px !important; }

内容风险标识