From 1d8693a0144be716cefe52bacdb55faa77516935 Mon Sep 17 00:00:00 2001 From: lingsheng Date: Thu, 26 Aug 2021 20:57:43 +0800 Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse --- ...fs.patch => 0009-fix-memleak-in-ntfs.patch | 0 0010-Fixed-HFS-BTree-key-OOB-read.patch | 24 +++++++++++ ...-Fixed-OOB-reads-in-hfs_cat_traverse.patch | 43 +++++++++++++++++++ sleuthkit.spec | 25 ++++++----- 4 files changed, 82 insertions(+), 10 deletions(-) rename fix-memleak-in-ntfs.patch => 0009-fix-memleak-in-ntfs.patch (100%) create mode 100644 0010-Fixed-HFS-BTree-key-OOB-read.patch create mode 100644 0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch diff --git a/fix-memleak-in-ntfs.patch b/0009-fix-memleak-in-ntfs.patch similarity index 100% rename from fix-memleak-in-ntfs.patch rename to 0009-fix-memleak-in-ntfs.patch diff --git a/0010-Fixed-HFS-BTree-key-OOB-read.patch b/0010-Fixed-HFS-BTree-key-OOB-read.patch new file mode 100644 index 0000000..575e1aa --- /dev/null +++ b/0010-Fixed-HFS-BTree-key-OOB-read.patch @@ -0,0 +1,24 @@ +From 0954034dc1ac757cfc125539c41cc2b42525b303 Mon Sep 17 00:00:00 2001 +From: Joachim Metz +Date: Tue, 27 Apr 2021 06:22:02 +0200 +Subject: [PATCH] Fixed HFS BTree key OOB read + +--- + tsk/fs/hfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c +index 2935fc50e3..d3b92aaad7 100644 +--- a/tsk/fs/hfs.c ++++ b/tsk/fs/hfs.c +@@ -976,7 +976,9 @@ hfs_cat_traverse(HFS_INFO * hfs, + rec_off = + tsk_getu16(fs->endian, + &node[nodesize - (rec + 1) * 2]); +- if (rec_off >= nodesize) { ++ ++ // Need at least 2 bytes for key_len ++ if (rec_off >= nodesize - 2) { + tsk_error_set_errno(TSK_ERR_FS_GENFS); + tsk_error_set_errstr + ("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %" diff --git a/0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch b/0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch new file mode 100644 index 0000000..bc6c70f --- /dev/null +++ b/0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch @@ -0,0 +1,43 @@ +From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001 +From: Joachim Metz +Date: Sat, 1 May 2021 07:46:49 +0200 +Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse + +--- + tsk/fs/hfs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c +index e3221152b7..01259cee2d 100644 +--- a/tsk/fs/hfs.c ++++ b/tsk/fs/hfs.c +@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid, + rec_off = + tsk_getu16(fs->endian, + &node[nodesize - (rec + 1) * 2]); +- if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) { ++ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) { + tsk_error_set_errno(TSK_ERR_FS_GENFS); + tsk_error_set_errstr + ("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %" +@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid, + rec_off = + tsk_getu16(fs->endian, + &node[nodesize - (rec + 1) * 2]); +- if (rec_off >= nodesize) { ++ ++ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) { + tsk_error_set_errno(TSK_ERR_FS_GENFS); + tsk_error_set_errstr + ("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %" +@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs, + rec_off = + tsk_getu16(fs->endian, + &node[nodesize - (rec + 1) * 2]); +- if (rec_off >= nodesize) { ++ ++ // Need at least 2 bytes for key_len ++ if (rec_off >= nodesize - 2) { + tsk_error_set_errno(TSK_ERR_FS_GENFS); + tsk_error_set_errstr + ("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %" diff --git a/sleuthkit.spec b/sleuthkit.spec index c245c53..5647b80 100644 --- a/sleuthkit.spec +++ b/sleuthkit.spec @@ -1,20 +1,22 @@ Name: sleuthkit Version: 4.6.7 -Release: 9 +Release: 10 Summary: Tools for file system and volume forensic analysis License: CPL and IBM and GPLv2+ URL: http://www.sleuthkit.org Source0: https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz -Patch1: 0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch -Patch2: 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch -Patch3: 0003-Fix-bug-introduced-with-imap-offset-check.patch -Patch4: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch -Patch5: 0005-Fix-Fuzz-buffer-overflow.patch -Patch6: 0006-Add-attributes-file-nodesize-check.patch -Patch7: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch -Patch8: 0008-left-shift.patch -Patch9: fix-memleak-in-ntfs.patch +Patch0001: 0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch +Patch0002: 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch +Patch0003: 0003-Fix-bug-introduced-with-imap-offset-check.patch +Patch0004: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch +Patch0005: 0005-Fix-Fuzz-buffer-overflow.patch +Patch0006: 0006-Add-attributes-file-nodesize-check.patch +Patch0007: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch +Patch0008: 0008-left-shift.patch +Patch0009: 0009-fix-memleak-in-ntfs.patch +Patch0010: 0010-Fixed-HFS-BTree-key-OOB-read.patch +Patch0011: 0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel @@ -89,6 +91,9 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool %{_mandir}/man1/* %changelog +* Thu Aug 26 2021 lingsheng - 4.6.7-10 +- Fixed OOB reads in hfs_cat_traverse + * Thu Aug 26 2021 sunguoshuai - 4.6.7-9 - Fix memleak in ntfs -- Gitee