Segmentation Fault at hfs_dir_open_meta_cb /sleuthkit/tsk/fs/hfs_dent.c [77809383]

Verified

Bug

Status Update

No update yet.

Description

mr...@google.com

created issue #1

Apr 9, 2018 06:29PM

This bug has been reported over 90d ago and is now eligible for a patch reward from any contributor. Please review general Patch Reward guidelines at

g.co/prp if you'd like to contribute.

The reward for this fix being accepted upstream has been set at $500.

Original report:

Hello sleuthkit team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
sleuthkit (tested with revision * develop 769742ddc4d7ea09003dad7e7300ccf12fb7fd40).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:

https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile /path/to/project`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

From another terminal, outside the container:
`docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer`
(reference:

https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

ASAN:DEADLYSIGNAL
=================================================================
==16==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000256a4 (pc 0x00000054812b bp 0x7ffca548a8f0 sp 0x7ffca548a480 T0)
==16==The signal is caused by a READ memory access.
#0 0x54812a in hfs_dir_open_meta_cb /fuzzing/sleuthkit/tsk/fs/hfs_dent.c:237:20
#1 0x51a96c in hfs_cat_traverse /fuzzing/sleuthkit/tsk/fs/hfs.c:1082:21
#2 0x547785 in hfs_dir_open_meta /fuzzing/sleuthkit/tsk/fs/hfs_dent.c:480:9
#3 0x50f57d in tsk_fs_dir_open_meta /fuzzing/sleuthkit/tsk/fs/fs_dir.c:290:14
#4 0x54af17 in tsk_fs_path2inum /fuzzing/sleuthkit/tsk/fs/ifind_lib.c:237:23
#5 0x522266 in hfs_open /fuzzing/sleuthkit/tsk/fs/hfs.c:6579:9
#6 0x508e89 in main /fuzzing/sleuthkit/tools/fstools/fls.cpp:267:19
#7 0x7f9daf67c2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41d679 in _start (/fuzzing/sleuthkit/tools/fstools/fls+0x41d679)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/sleuthkit/tsk/fs/hfs_dent.c:237:20 in hfs_dir_open_meta_cb
==16==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

artifacts_67814013.zip

53 KB

Download

Comments

ry...@gmail.com <ry...@gmail.com> #2Apr 10, 2018 01:41PM

I would like to fix this bug

et...@gmail.com <et...@gmail.com> #3Nov 23, 2018 03:10PM

I would like to fix this bug.

et...@gmail.com <et...@gmail.com> #4Nov 24, 2018 11:39AM

https://github.com/sleuthkit/sleuthkit/pull/1374

Checked it with the reproducing dockerfile (from my patched repo) and it doesn't have conflicts anymore.

Waiting for merge into develop.

et...@gmail.com <et...@gmail.com> #5Nov 27, 2018 10:25AM

After 3 days of no response to my pull request I have messaged the Debian security team.

et...@gmail.com <et...@gmail.com> #6Nov 29, 2018 02:30PM

My pull request (see above) has been merged, thus the issue is fixed.

et...@gmail.com <et...@gmail.com> #7Nov 30, 2018 07:53AM

My patch has also been backported to Gentoo, other security teams are following :)

mr...@google.com <mr...@google.com> #8Nov 30, 2018 03:54PM

Hi Jordy.

We are reviewing your patch and will get back to you shortly. Thank you for your contribution!

et...@gmail.com <et...@gmail.com> #9Nov 30, 2018 04:42PM

Thanks! :)

mr...@google.com <mr...@google.com> #10Dec 5, 2018 07:27PM

Verified by mr...@google.com.

Hi Jordy,

We've done some digging on this bug and have found the following:

It looks to us like the fix for this bug was applied in

https://github.com/sleuthkit/sleuthkit/commit/114cd3d0aac8bd1aeaf4b33840feb0163d342d5b. We failed to update the bug when that fix was applied; please accept our apologies for missing that. You, however, did obtain a CVE and make a meaningful improvement with your PR, so given these circumstances, we have decided to award you the full amount for fixing this bug. Thank you for your contributions, and apologies for not updating this bug with the most current status.

Proposed award:

Moderate severity bug (without regression tests): $300
CVE filed for bug: $150
=
Total proposed award: $450.

Thank you so much! Someone will reach out to you soon about payment logistics.

pd...@gmail.com <pd...@gmail.com> #11Jul 26, 2021 04:22PM

lol tang to na

pd...@gmail.com <pd...@gmail.com> #12Jul 26, 2021 04:25PM

cheers