SEGV in APFSBtreeNodeIterator<APFSJObjBtreeNode> APFSJObjBtreeNode::find<unsigned long, ...
joachimmetz opened this issue · comments
Joachim Metz commented
Joachim Metz commented
./tools/fstools/fls -B 106 /tmp/clusterfuzz-testcase-minimized-sleuthkit_fls_apfs_fuzzer-4905707556438016
AddressSanitizer:DEADLYSIGNAL
=================================================================
==482546==ERROR: AddressSanitizer: SEGV on unknown address 0x625000011137 (pc 0x000000414a10 bp 0x7ffca77b33d0 sp 0x7ffca77b2f30 T0)
==482546==The signal is caused by a READ memory access.
#0 0x414a10 in unsigned long bitfield_value<unsigned long, void>(unsigned long, int, int) ../fs/tsk_apfs.hpp:35
#1 0x414a10 in APFSJObjKey::oid() const ../fs/tsk_apfs.hpp:1142
#2 0x414a10 in long APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}::operator()<memory_view, unsigned long>(memory_view const&, unsigned long const&) const ../fs/apfs_fs.hpp:123
#3 0x414a10 in APFSBtreeNodeIterator<APFSJObjBtreeNode> APFSJObjBtreeNode::find<unsigned long, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}>(unsigned long const&, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}) const ../fs/tsk_apfs.hpp:621
#4 0x4151ad in std::pair<APFSBtreeNodeIterator<APFSJObjBtreeNode>, APFSBtreeNodeIterator<APFSJObjBtreeNode> > APFSJObjBtreeNode::find_range<unsigned long, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}>(unsigned long const&, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}) const ../fs/tsk_apfs.hpp:687
#5 0x410966 in APFSJObjTree::jobjs(unsigned long) const sleuthkit/tsk/fs/apfs_fs.hpp:124
#6 0x410966 in APFSJObjTree::obj(unsigned long) const sleuthkit/tsk/fs/apfs_fs.hpp:136
#7 0x410966 in APFSFSCompat::file_add_meta(TSK_FS_FILE*, unsigned long) const sleuthkit/tsk/fs/apfs_compat.cpp:656
#8 0x42ac02 in tsk_fs_dir_walk_recursive sleuthkit/tsk/fs/fs_dir.c:709
#9 0x42c7be in tsk_fs_dir_walk_internal sleuthkit/tsk/fs/fs_dir.c:1001
#10 0x42c980 in tsk_fs_dir_walk sleuthkit/tsk/fs/fs_dir.c:1043
#11 0x420e2b in tsk_fs_fls sleuthkit/tsk/fs/fls_lib.c:262
#12 0x4072c1 in main sleuthkit/tools/fstools/fls.cpp:410
#13 0x7f2411f6a50f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#14 0x7f2411f6a5c8 in __libc_start_main_impl ../csu/libc-start.c:381
#15 0x407b74 in _start (sleuthkit/tools/fstools/fls+0x407b74)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../fs/tsk_apfs.hpp:35 in unsigned long bitfield_value<unsigned long, void>(unsigned long, int, int)
==482546==ABORTING
Joachim Metz commented
Seems to be related to #2802 resulting in SEGV (a more serious impact) than a OOB read.
Joachim Metz commented
#2803 seems to address this issue as well