Out of bounds read in ntfs_device_mount
The attached file will cause an out of bounds heap read in ntfsfix.
This was found through fuzzing with american fuzzy lop.
Address Sanitizer stack trace:
Code:
==27007==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017900 at pc 0x0000004848b1 bp 0x7ffcf1e72ed0 sp 0x7ffcf1e72680
READ of size 33176 at 0x621000017900 thread T0
#0 0x4848b0 in __interceptor_memcmp (/tmp/ntfsfix+0x4848b0)
#1 0x5a99d8 in ntfs_device_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:992:7
#2 0x5acfad in ntfs_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:1351:8
#3 0x4da982 in main /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1579:8
#4 0x7f2e33cd47af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
#5 0x418798 in _start (/tmp/ntfsfix+0x418798)
0x621000017900 is located 0 bytes to the right of 4096-byte region [0x621000016900,0x621000017900)
allocated by thread T0 here:
#0 0x4aea38 in __interceptor_malloc (/tmp/ntfsfix+0x4aea38)
#1 0x56fa7c in ntfs_malloc /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/misc.c:57:6
#2 0x5acfad in ntfs_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:1351:8
#3 0x7f2e33cd47af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/ntfsfix+0x4848b0) in __interceptor_memcmp
Shadow bytes around the buggy address:
0x0c427fffaed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaf20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27007==ABORTING
