FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Mon Aug 19, 2019 00:06



Post new topic Reply to topic  [ 1 post ] 
Out of bounds read in find_unnamed_attr 
Author Message

Joined: Sun Sep 06, 2015 13:41
Posts: 5
Post Out of bounds read in find_unnamed_attr
The attached file will generate an out of bounds heap read access when checked with ntfsfix.

This was found with american fuzzy lop.

Address Sanitizer stack trace:
Code:
==10557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000107b8 at pc 0x0000004e11b9 bp 0x7ffdbb6eea30 sp 0x7ffdbb6eea28
READ of size 4 at 0x6190000107b8 thread T0
    #0 0x4e11b8 in find_unnamed_attr /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:742:13
    #1 0x4e11b8 in short_mft_selfloc_condition /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:781
    #2 0x4e11b8 in fix_self_located_mft /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1139
    #3 0x4e11b8 in fix_startup /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1465
    #4 0x4e11b8 in fix_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1519
    #5 0x4e11b8 in main /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1586
    #6 0x7f0ddbc207af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #7 0x418798 in _start (/home/hanno/Desktop/ntfs-fuzz/ntfsfix+0x418798)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:742:13 in find_unnamed_attr
Shadow bytes around the buggy address:
  0x0c327fffa0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fffa0f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c327fffa100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10557==ABORTING


Attachments:
File comment: sample fuzzed ntfs image
ntfsfix-oob-heap-read-find_unnamed_attr.tar.bz2 [3.16 KiB]
Downloaded 1060 times
Fri Sep 18, 2015 15:02
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.