From 0366158c7740b4d44e02a20465ac685512716757 Mon Sep 17 00:00:00 2001 From: wu-leilei Date: Wed, 31 Aug 2022 14:25:12 +0800 Subject: [PATCH] fixed OOB read in ntfs_proc_attrseq (cherry picked from commit 46ed43de01a81e2676708e82407ae8387a19f1a0) --- ...-Fixed-OOB-read-in-ntfs_proc_attrseq.patch | 61 +++++++++++++++++++ sleuthkit.spec | 7 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0015-Fixed-OOB-read-in-ntfs_proc_attrseq.patch diff --git a/0015-Fixed-OOB-read-in-ntfs_proc_attrseq.patch b/0015-Fixed-OOB-read-in-ntfs_proc_attrseq.patch new file mode 100644 index 0000000..2bd2b5b --- /dev/null +++ b/0015-Fixed-OOB-read-in-ntfs_proc_attrseq.patch @@ -0,0 +1,61 @@ +From a791293e9f30de2fc9d798b1ed602a78198b721d Mon Sep 17 00:00:00 2001 +From: Joachim Metz +Date: Sat, 27 Nov 2021 08:58:21 +0100 +Subject: [PATCH] Fixed OOB read in ntfs_proc_attrseq + +--- + tsk/fs/ntfs.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c +index e82abae..fd3fc4f 100755 +--- a/tsk/fs/ntfs.c ++++ b/tsk/fs/ntfs.c +@@ -2187,6 +2187,8 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs, + TSK_FS_META_NAME_LIST *fs_name; + UTF16 *name16; + UTF8 *name8; ++ uint32_t attr_len = tsk_getu32(fs->endian, attr->len); ++ uint16_t attr_off = tsk_getu16(fs->endian, attr->c.r.soff); + if (attr->res != NTFS_MFT_RES) { + tsk_error_reset(); + tsk_error_set_errno(TSK_ERR_FS_INODE_COR); +@@ -2194,6 +2196,21 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs, + ("proc_attr_seq: File Name Attribute is not resident!"); + return TSK_COR; + } ++ if ((attr_off < 16) || (attr_off >= attr_len)) { ++ tsk_error_reset(); ++ tsk_error_set_errno(TSK_ERR_FS_INODE_COR); ++ tsk_error_set_errstr ++ ("proc_attrseq: resident data offset of File Name Attribute is out of bounds!"); ++ return TSK_COR; ++ } ++ // A File Name Attribute should be at least 66 bytes in size ++ if ((attr_len < 66) || (attr_off > attr_len - 66)) { ++ tsk_error_reset(); ++ tsk_error_set_errno(TSK_ERR_FS_INODE_COR); ++ tsk_error_set_errstr ++ ("proc_attrseq: resident data of File Name Attribute is too small!"); ++ return TSK_COR; ++ } + fname = + (ntfs_attr_fname *) ((uintptr_t) attr + + tsk_getu16(fs->endian, attr->c.r.soff)); +@@ -2249,6 +2266,13 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs, + } + fs_name->next = NULL; + } ++ if (fname->nlen > attr_len - 66) { ++ tsk_error_reset(); ++ tsk_error_set_errno(TSK_ERR_FS_INODE_COR); ++ tsk_error_set_errstr ++ ("proc_attrseq: invalid name value size out of bounds!"); ++ return TSK_COR; ++ } + + name16 = (UTF16 *) & fname->name; + name8 = (UTF8 *) fs_name->name; +-- +2.27.0 + diff --git a/sleuthkit.spec b/sleuthkit.spec index 892be84..bce4de1 100644 --- a/sleuthkit.spec +++ b/sleuthkit.spec @@ -1,6 +1,6 @@ Name: sleuthkit Version: 4.6.7 -Release: 11 +Release: 12 Summary: Tools for file system and volume forensic analysis License: CPL and IBM and GPLv2+ URL: http://www.sleuthkit.org @@ -23,6 +23,8 @@ Patch0012: 0012-fix_oob_read8.patch Patch0013: 0013-fix_oob_read13.patch #https://github.com/sleuthkit/sleuthkit/pull/2453/commits/beb68f543261a28ee25b945bb79d39213decd2cd Patch0014: 0014-Fixed-OOB-reads-in-hfs_dir_open_meta_cb.patch +#https://github.com/sleuthkit/sleuthkit/pull/2624/commits/daa5c74e3df1075f8143e5cc5f186df63ba1f56d +Patch0015: 0015-Fixed-OOB-read-in-ntfs_proc_attrseq.patch BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel @@ -97,6 +99,9 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool %{_mandir}/man1/* %changelog +* Wed Aug 31 2022 wulei - 4.6.7-12 +- Fixed OOB read in ntfs_proc_attrseq + * Thu Mar 10 2022 xuping - 4.6.7-11 - Fixed OOB read in hfs_dir_open_meta_cb -- Gitee