Giters

sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Home Page:http://www.sleuthkit.org/sleuthkit/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SEGV in APFSBtreeNodeIterator<APFSJObjBtreeNode> APFSJObjBtreeNode::find<unsigned long, ...

joachimmetz opened this issue · comments

commented 
./tools/fstools/fls -B 106 /tmp/clusterfuzz-testcase-minimized-sleuthkit_fls_apfs_fuzzer-4905707556438016 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==482546==ERROR: AddressSanitizer: SEGV on unknown address 0x625000011137 (pc 0x000000414a10 bp 0x7ffca77b33d0 sp 0x7ffca77b2f30 T0)
==482546==The signal is caused by a READ memory access.
    #0 0x414a10 in unsigned long bitfield_value<unsigned long, void>(unsigned long, int, int) ../fs/tsk_apfs.hpp:35
    #1 0x414a10 in APFSJObjKey::oid() const ../fs/tsk_apfs.hpp:1142
    #2 0x414a10 in long APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}::operator()<memory_view, unsigned long>(memory_view const&, unsigned long const&) const ../fs/apfs_fs.hpp:123
    #3 0x414a10 in APFSBtreeNodeIterator<APFSJObjBtreeNode> APFSJObjBtreeNode::find<unsigned long, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}>(unsigned long const&, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}) const ../fs/tsk_apfs.hpp:621
    #4 0x4151ad in std::pair<APFSBtreeNodeIterator<APFSJObjBtreeNode>, APFSBtreeNodeIterator<APFSJObjBtreeNode> > APFSJObjBtreeNode::find_range<unsigned long, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}>(unsigned long const&, APFSJObjTree::jobjs(unsigned long) const::{lambda(auto:1 const&, auto:2 const&)#1}) const ../fs/tsk_apfs.hpp:687
    #5 0x410966 in APFSJObjTree::jobjs(unsigned long) const sleuthkit/tsk/fs/apfs_fs.hpp:124
    #6 0x410966 in APFSJObjTree::obj(unsigned long) const sleuthkit/tsk/fs/apfs_fs.hpp:136
    #7 0x410966 in APFSFSCompat::file_add_meta(TSK_FS_FILE*, unsigned long) const sleuthkit/tsk/fs/apfs_compat.cpp:656
    #8 0x42ac02 in tsk_fs_dir_walk_recursive sleuthkit/tsk/fs/fs_dir.c:709
    #9 0x42c7be in tsk_fs_dir_walk_internal sleuthkit/tsk/fs/fs_dir.c:1001
    #10 0x42c980 in tsk_fs_dir_walk sleuthkit/tsk/fs/fs_dir.c:1043
    #11 0x420e2b in tsk_fs_fls sleuthkit/tsk/fs/fls_lib.c:262
    #12 0x4072c1 in main sleuthkit/tools/fstools/fls.cpp:410
    #13 0x7f2411f6a50f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #14 0x7f2411f6a5c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #15 0x407b74 in _start (sleuthkit/tools/fstools/fls+0x407b74)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../fs/tsk_apfs.hpp:35 in unsigned long bitfield_value<unsigned long, void>(unsigned long, int, int)
==482546==ABORTING
commented

Seems to be related to #2802 resulting in SEGV (a more serious impact) than a OOB read.

commented

#2803 seems to address this issue as well