OOB read in APFSJObject::add_entry

Question

OOB read in APFSJObject::add_entry

joachimmetz opened this issue a year ago · comments

Joachim Metz commented a year ago

Reported by OSSFuzz in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52764

Joachim Metz · Answer 1 · Sat Feb 11 2023 16:09:33 GMT+0800 (China Standard Time)

https://osv.dev/vulnerability/OSV-2022-1106

Joachim Metz · Answer 2 · Sat Feb 11 2023 16:25:10 GMT+0800 (China Standard Time)

For assessment of impacted SleuthKit versions https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/apfs_fs.cpp#L146 seems to date back to version 4.8.0 (edb2e46)

Joachim Metz · Answer 3 · Sat Feb 11 2023 16:40:42 GMT+0800 (China Standard Time)

==482633==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000007544 at pc 0x7f87dc049e0b bp 0x7fffdb60a400 sp 0x7fffdb609bb0
READ of size 3604 at 0x621000007544 thread T0
    #0 0x7f87dc049e0a in __interceptor_memcpy (/lib64/libasan.so.8+0x49e0a)
    #1 0x417bfd in std::char_traits<char>::copy(char*, char const*, unsigned long) /usr/include/c++/12/bits/char_traits.h:431
    #2 0x417bfd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_S_copy(char*, char const*, unsigned long) /usr/include/c++/12/bits/basic_string.h:423
    #3 0x417bfd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_S_copy(char*, char const*, unsigned long) /usr/include/c++/12/bits/basic_string.h:418
    #4 0x417bfd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_S_copy_chars(char*, char const*, char const*) /usr/include/c++/12/bits/basic_string.h:477
    #5 0x417bfd in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/12/bits/basic_string.tcc:243
    #6 0x417bfd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned long, std::allocator<char> const&) /usr/include/c++/12/bits/basic_string.h:620
    #7 0x417bfd in APFSJObject::add_entry(APFSBtreeNodeIterator<APFSJObjBtreeNode>::{unnamed type#1} const&) sleuthkit/tsk/fs/apfs_fs.cpp:211
    #8 0x4180a2 in operator()<APFSBtreeNodeIterator<APFSJObjBtreeNode>::<unnamed struct> > sleuthkit/tsk/fs/apfs_fs.cpp:61
    #9 0x4180a2 in for_each<APFSBtreeNodeIterator<APFSJObjBtreeNode>, APFSJObject::APFSJObject(const jit&, const jit&)::<lambda(const auto:5&)> > /usr/include/c++/12/bits/stl_algo.h:3787
    #10 0x4180a2 in APFSJObject::APFSJObject(APFSBtreeNodeIterator<APFSJObjBtreeNode> const&, APFSBtreeNodeIterator<APFSJObjBtreeNode> const&) sleuthkit/tsk/fs/apfs_fs.cpp:61
    #11 0x410971 in APFSJObjTree::obj(unsigned long) const sleuthkit/tsk/fs/apfs_fs.hpp:136
    #12 0x410971 in APFSFSCompat::file_add_meta(TSK_FS_FILE*, unsigned long) const sleuthkit/tsk/fs/apfs_compat.cpp:656
    #13 0x42ac02 in tsk_fs_dir_walk_recursive sleuthkit/tsk/fs/fs_dir.c:709
    #14 0x42c7be in tsk_fs_dir_walk_internal sleuthkit/tsk/fs/fs_dir.c:1001
    #15 0x42c980 in tsk_fs_dir_walk sleuthkit/tsk/fs/fs_dir.c:1043
    #16 0x420e2b in tsk_fs_fls sleuthkit/tsk/fs/fls_lib.c:262
    #17 0x4072c1 in main sleuthkit/tools/fstools/fls.cpp:410
    #18 0x7f87db96a50f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #19 0x7f87db96a5c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #20 0x407b74 in _start (sleuthkit/tools/fstools/fls+0x407b74)