FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Thu Jun 24, 2021 13:43



Post new topic Reply to topic  [ 2 posts ] 
Out of bounds read in ntfs_device_mount 
Author Message

Joined: Sun Sep 06, 2015 13:41
Posts: 5
Post Out of bounds read in ntfs_device_mount
The attached file will cause an out of bounds heap read in ntfsfix.

This was found through fuzzing with american fuzzy lop.

Address Sanitizer stack trace:
Code:
==27007==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017900 at pc 0x0000004848b1 bp 0x7ffcf1e72ed0 sp 0x7ffcf1e72680
READ of size 33176 at 0x621000017900 thread T0
    #0 0x4848b0 in __interceptor_memcmp (/tmp/ntfsfix+0x4848b0)
    #1 0x5a99d8 in ntfs_device_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:992:7
    #2 0x5acfad in ntfs_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:1351:8
    #3 0x4da982 in main /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/ntfsprogs/ntfsfix.c:1579:8
    #4 0x7f2e33cd47af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #5 0x418798 in _start (/tmp/ntfsfix+0x418798)

0x621000017900 is located 0 bytes to the right of 4096-byte region [0x621000016900,0x621000017900)
allocated by thread T0 here:
    #0 0x4aea38 in __interceptor_malloc (/tmp/ntfsfix+0x4aea38)
    #1 0x56fa7c in ntfs_malloc /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/misc.c:57:6
    #2 0x5acfad in ntfs_mount /mnt/ram/ntfs-3g_ntfsprogs-2015.3.14/libntfs-3g/volume.c:1351:8
    #3 0x7f2e33cd47af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/ntfsfix+0x4848b0) in __interceptor_memcmp
Shadow bytes around the buggy address:
  0x0c427fffaed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaf20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27007==ABORTING


Attachments:
File comment: fuzzed ntfs image
ntfsfix-oob-heap-read-ntfs_device_mount.tar.bz2 [31.36 KiB]
Downloaded 1182 times
Thu Sep 17, 2015 21:25
Profile

Joined: Sun Sep 06, 2015 13:41
Posts: 5
Post Re: Out of bounds read in ntfs_device_mount
I can confirm this is fixed in 2016.2.22.


Fri Nov 18, 2016 16:32
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.