Fixed OOB reads in hfs_cat_traverse

(cherry picked from commit 1d8693a0144be716cefe52bacdb55faa77516935)
2021-08-26 20:57:43 +08:00 · 2021-08-26 20:57:43 +08:00 · 15c6a656ea
commit 15c6a656ea
parent 390c63ef3a
4 changed files with 82 additions and 10 deletions
--- a/0009-fix-memleak-in-ntfs.patch
+++ b/0009-fix-memleak-in-ntfs.patch
--- a/0010-Fixed-HFS-BTree-key-OOB-read.patch
+++ b/0010-Fixed-HFS-BTree-key-OOB-read.patch
@ -0,0 +1,24 @@
 From 0954034dc1ac757cfc125539c41cc2b42525b303 Mon Sep 17 00:00:00 2001
 From: Joachim Metz <joachim.metz@gmail.com>
 Date: Tue, 27 Apr 2021 06:22:02 +0200
 Subject: [PATCH] Fixed HFS BTree key OOB read
 ---
 tsk/fs/hfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
 index 2935fc50e3..d3b92aaad7 100644
 --- a/tsk/fs/hfs.c
 +++ b/tsk/fs/hfs.c
@@ -976,7 +976,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
                 rec_off =
                     tsk_getu16(fs->endian,
                     &node[nodesize - (rec + 1) * 2]);
 -                if (rec_off >= nodesize) {
 +
 +                // Need at least 2 bytes for key_len
 +                if (rec_off >= nodesize - 2) {
                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
                     tsk_error_set_errstr
                         ("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"
--- a/0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
+++ b/0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
@ -0,0 +1,43 @@
 From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001
 From: Joachim Metz <joachim.metz@gmail.com>
 Date: Sat, 1 May 2021 07:46:49 +0200
 Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse
 ---
 tsk/fs/hfs.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
 index e3221152b7..01259cee2d 100644
 --- a/tsk/fs/hfs.c
 +++ b/tsk/fs/hfs.c
@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
                 rec_off =
                     tsk_getu16(fs->endian,
                     &node[nodesize - (rec + 1) * 2]);
 -                if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) {
 +                if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
                     tsk_error_set_errstr
                         ("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %"
@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
                 rec_off =
                     tsk_getu16(fs->endian,
                     &node[nodesize - (rec + 1) * 2]);
 -                if (rec_off >= nodesize) {
 +
 +                if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
                     tsk_error_set_errstr
                         ("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
                 rec_off =
                     tsk_getu16(fs->endian,
                     &node[nodesize - (rec + 1) * 2]);
 -                if (rec_off >= nodesize) {
 +
 +                // Need at least 2 bytes for key_len
 +                if (rec_off >= nodesize - 2) {
                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
                     tsk_error_set_errstr
                         ("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"
--- a/sleuthkit.spec
+++ b/sleuthkit.spec
@ -1,20 +1,22 @@
 Name:           sleuthkit
 Version:        4.6.7
-Release:        9
+Release:        10
 Summary:        Tools for file system and volume forensic analysis
 License:        CPL and IBM and GPLv2+
 URL:            http://www.sleuthkit.org
 Source0:        https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
-Patch1:         0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
+Patch0001:      0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
-Patch2:         0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
+Patch0002:      0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
-Patch3:         0003-Fix-bug-introduced-with-imap-offset-check.patch
+Patch0003:      0003-Fix-bug-introduced-with-imap-offset-check.patch
-Patch4:         0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
+Patch0004:      0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
-Patch5:         0005-Fix-Fuzz-buffer-overflow.patch
+Patch0005:      0005-Fix-Fuzz-buffer-overflow.patch
-Patch6:         0006-Add-attributes-file-nodesize-check.patch
+Patch0006:      0006-Add-attributes-file-nodesize-check.patch
-Patch7:         0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
+Patch0007:      0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
-Patch8:         0008-left-shift.patch
+Patch0008:      0008-left-shift.patch
-Patch9:         fix-memleak-in-ntfs.patch
+Patch0009:      0009-fix-memleak-in-ntfs.patch
 Patch0010:      0010-Fixed-HFS-BTree-key-OOB-read.patch
 Patch0011:      0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
 BuildRequires:  gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
@ -89,6 +91,9 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %{_mandir}/man1/*
 %changelog
 * Thu Aug 26 2021 lingsheng <lingsheng@huawei.com> - 4.6.7-10
 - Fixed OOB reads in hfs_cat_traverse
 * Thu Aug 26 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.6.7-9
 - Fix memleak in ntfs