登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
122 Star 0 Fork 9

src-openEuler / sleuthkit

代码 Issues 2 Pull Requests 1 Wiki 统计 流水线
服务
Issues
 / 详情

【fuzz】heap-buffer-overflow

已完成
缺陷
jinjin
创建于  
2021-08-25 14:38

【标题描述】heap-buffer-overflow
【环境信息】
硬件信息:
1) x86
软件信息:
1)
Name: sleuthkit
Version: 4.6.7
Release: 8

如果有特殊组网,请提供网络拓扑图
【问题复现步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address sleuthkit
2、执行
python3 infra/helper.py run_fuzzer sleuthkit sleuthkit_fls_hfs_fuzzer -rss_limit_mb=0
【预期结果】
运行30 min无报错
【实际结果】

==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a8a at pc 0x00000056085b bp 0x7ffcc08c4630 sp 0x7ffcc08c4628
READ of size 1 at 0x61e000000a8a thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x56085a in hfs_cat_traverse /src/sleuthkit/tsk/fs/hfs.c:1103:30
    #1 0x575555 in hfs_find_highest_inum /src/sleuthkit/tsk/fs/hfs.c:1787:9
    #2 0x56791c in hfs_open /src/sleuthkit/tsk/fs/hfs.c:6805:21
    #3 0x55e58d in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:172:16
    #4 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #5 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:
    #6 0x443d22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #7 0x449db7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fuzzer.cpp:776:9
    #8 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #9 0x7ffa3bf3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e338 in _start (/out/sleuthkit_fls_hfs_fuzzer+0x41e338)

0x61e000000a8a is located 0 bytes to the right of 2570-byte region [0x61e000000080,0x61e000000a8a)
allocated by thread T0 here:
    #0 0x51e07d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x60acc9 in tsk_malloc /src/sleuthkit/tsk/base/mymalloc.c:32:16
    #2 0x55eff4 in hfs_cat_traverse /src/sleuthkit/tsk/fs/hfs.c:869:26
    #3 0x575555 in hfs_find_highest_inum /src/sleuthkit/tsk/fs/hfs.c:1787:9
    #4 0x56791c in hfs_open /src/sleuthkit/tsk/fs/hfs.c:6805:21
    #5 0x55e58d in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:172:16
    #6 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
    #7 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:
    #8 0x443d22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
    #9 0x449db7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fuzzer.cpp:776:9
    #10 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #11 0x7ffa3bf3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/sleuthkit/tsk/fs/hfs.c:1103:30 in hfs_cat_traverse
Shadow bytes around the buggy address:
  0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6==ABORTING

评论 (2)

jinjin 创建了缺陷
jinjin 关联仓库设置为src-openEuler/sleuthkit
展开全部操作日志

Hey yanglijin, Welcome to openEuler Community.
You can follow the instructions at to interact with the Bot.
openeuler-ci-bot%!(EXTRA string=https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md)

5329419 openeuler ci bot 1632792936
openeuler-ci-bot 添加了
 
sig/Others
标签
jinjin 里程碑设置为openEuler-21.09-round-1
jinjin 负责人设置为small_leek
jinjin 修改了描述
jinjin 上传了附件crash-58cf7610cc4c2516a6eea1b1f51d634eb1eff161
ultra_planet 通过src-openeuler/sleuthkit Pull Request !35任务状态待办的 修改为已完成

登录 后才可以发表评论

状态
负责人
标签
sig/Others
项目
未立项任务
未立项任务
里程碑
openEuler-21.09-round-1
未关联
Pull Requests
未关联
未关联
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
未关联
分支 (22)
标签 (17)
master
openEuler-24.03-LTS
openEuler-24.03-LTS-Next
sync-pr49-openEuler-22.09-to-master
openEuler-22.09
openEuler-23.03
openEuler-23.09
openEuler-22.03-LTS-Next
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP2
openEuler-22.03-LTS-SP3
openEuler-22.03-LTS
openEuler-20.03-LTS-SP3
openEuler-20.03-LTS-SP4
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
openEuler-20.03-LTS
openEuler-21.03
openEuler-20.03-LTS-Next
openEuler-21.09
openEuler-20.09
wzs
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-20.03-LTS-SP3-release
openEuler-20.03-LTS-SP2-20210624
openEuler-21.03-20210330
openEuler-20.09-20200929
openEuler-20.03-LTS-20200606
openEuler-20.03-LTS-tag
开始日期   -   截止日期
-
置顶选项
不置顶
置顶等级:高
置顶等级:中
置顶等级:低
优先级
不指定
严重
主要
次要
不重要
预计工期 (小时)
参与者(3)
5329419 openeuler ci bot 1632792936
1
https://gitee.com/src-openeuler/sleuthkit.git
git@gitee.com:src-openeuler/sleuthkit.git
src-openeuler
sleuthkit
sleuthkit
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部