【fuzz】sleuthkit_fls_ntfs_fuzzer heap-buffer-overflow

【环境信息】
x86
【测试版本】
Name:           sleuthkit
Version:        4.6.7
Release:        2
【注意事项】
受影响版本排查（受影响/不受影响）
1、master
2、openEuler-LTS-20.03
3、openEuler-LTS-20.03-SP1
4、openEuler-LTS-20.03-Next
5、openEuler-20.09
①【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address sleuthkit
2、执行
python3 infra/helper.py run_fuzzer sleuthkit sleuthkit_fls_ntfs_fuzzer -rss_limit_mb=0
【报错信息】
```
==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000003200 at pc 0x0000005cd260 bp 0x7ffd85337dd0 sp 0x7ffd85337dc8
READ of size 1 at 0x615000003200 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x5cd25f in ntfs_make_data_run /src/sleuthkit/tsk/fs/ntfs.c:659:29
    #1 0x5c3a2a in ntfs_proc_attrseq /src/sleuthkit/tsk/fs/ntfs.c:1941:22
    #2 0x5c19ef in ntfs_dinode_copy /src/sleuthkit/tsk/fs/ntfs.c:2752:19
    #3 0x5aee72 in ntfs_inode_lookup /src/sleuthkit/tsk/fs/ntfs.c:2853:9
    #4 0x5586cb in tsk_fs_file_open_meta /src/sleuthkit/tsk/fs/fs_file.c:128:9
    #5 0x5abcf8 in ntfs_open /src/sleuthkit/tsk/fs/ntfs.c:5172:13
    #6 0x55e25b in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:160:16
    #7 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #8 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #9 0x458105 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #10 0x45a1d7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #11 0x45ac55 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #12 0x449c2e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #13 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #14 0x7f97833e082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x41e338 in _start (/out/sleuthkit_fls_ntfs_fuzzer+0x41e338)

0x615000003200 is located 0 bytes to the right of 512-byte region [0x615000003000,0x615000003200)
allocated by thread T0 here:
    #0 0x51e07d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x60ae59 in tsk_malloc /src/sleuthkit/tsk/base/mymalloc.c:32:16
    #2 0x5aee0d in ntfs_inode_lookup /src/sleuthkit/tsk/fs/ntfs.c:2842:25
    #3 0x5586cb in tsk_fs_file_open_meta /src/sleuthkit/tsk/fs/fs_file.c:128:9
    #4 0x5abcf8 in ntfs_open /src/sleuthkit/tsk/fs/ntfs.c:5172:13
    #5 0x55e25b in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:160:16
    #6 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #7 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #8 0x458105 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #9 0x45a1d7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #10 0x45ac55 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #11 0x449c2e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #12 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #13 0x7f97833e082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/sleuthkit/tsk/fs/ntfs.c:659:29 in ntfs_make_data_run
Shadow bytes around the buggy address:
  0x0c2a7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11==ABORTING
MS: 2 ShuffleBytes-ChangeBinInt-; base unit: 2ac8fdb09f61b07417ffa55c29f6058bb125dfb7
```

src-openEuler/sleuthkit

内容风险标识

评论 (2)

src-openEuler/sleuthkit .gitee-modal { width: 500px !important; }

内容风险标识