【标题描述】heap-buffer-overflow
【环境信息】
硬件信息:
1) x86
软件信息:
1)
Name: sleuthkit
Version: 4.6.7
Release: 8
如果有特殊组网,请提供网络拓扑图
【问题复现步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address sleuthkit
2、执行
python3 infra/helper.py run_fuzzer sleuthkit sleuthkit_fls_hfs_fuzzer -rss_limit_mb=0
【预期结果】
运行30 min无报错
【实际结果】
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a8a at pc 0x00000056085b bp 0x7ffcc08c4630 sp 0x7ffcc08c4628
READ of size 1 at 0x61e000000a8a thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x56085a in hfs_cat_traverse /src/sleuthkit/tsk/fs/hfs.c:1103:30
#1 0x575555 in hfs_find_highest_inum /src/sleuthkit/tsk/fs/hfs.c:1787:9
#2 0x56791c in hfs_open /src/sleuthkit/tsk/fs/hfs.c:6805:21
#3 0x55e58d in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:172:16
#4 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
#5 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:
#6 0x443d22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#7 0x449db7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fuzzer.cpp:776:9
#8 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#9 0x7ffa3bf3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x41e338 in _start (/out/sleuthkit_fls_hfs_fuzzer+0x41e338)
0x61e000000a8a is located 0 bytes to the right of 2570-byte region [0x61e000000080,0x61e000000a8a)
allocated by thread T0 here:
#0 0x51e07d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x60acc9 in tsk_malloc /src/sleuthkit/tsk/base/mymalloc.c:32:16
#2 0x55eff4 in hfs_cat_traverse /src/sleuthkit/tsk/fs/hfs.c:869:26
#3 0x575555 in hfs_find_highest_inum /src/sleuthkit/tsk/fs/hfs.c:1787:9
#4 0x56791c in hfs_open /src/sleuthkit/tsk/fs/hfs.c:6805:21
#5 0x55e58d in tsk_fs_open_img /src/sleuthkit/tsk/fs/fs_open.c:172:16
#6 0x5508a5 in LLVMFuzzerTestOneInput /src/sleuthkit_fls_fuzzer.cc:33:8
#7 0x4589c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:
#8 0x443d22 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#9 0x449db7 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fuzzer.cpp:776:9
#10 0x472402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#11 0x7ffa3bf3582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/sleuthkit/tsk/fs/hfs.c:1103:30 in hfs_cat_traverse
Shadow bytes around the buggy address:
0x0c3c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8150: 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6==ABORTING
Hey yanglijin, Welcome to openEuler Community.
You can follow the instructions at to interact with the Bot.
openeuler-ci-bot%!(EXTRA string=https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md)
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论