packages/sleuthkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!51 Update to 4.12.1

Browse Source 
From: @wu-leilei 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-10-18 07:33:37 +00:00 committed by Gitee
commit 9060bba55a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
17 changed files with 31 additions and 833 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
View File

@ -1,11 +0,0 @@
diff -Nur sleuthkit-4.6.7/tsk/vs/dos.c sleuthkit-4.6.7.new/tsk/vs/dos.c
--- sleuthkit-4.6.7/tsk/vs/dos.c 2019-08-03 04:20:57.000000000 +0800
+++ sleuthkit-4.6.7.new/tsk/vs/dos.c 2020-12-09 17:35:47.356058422 +0800
@@ -769,6 +769,7 @@
tsk_error_set_errno(TSK_ERR_VS_BLK_NUM);
tsk_error_set_errstr
("dos_load_ext_table: Loop in partition table detected");
+ free(sect_buf);
return 1;
}
part_info = part_info->next;

35
0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
View File

@ -1,35 +0,0 @@
From 77a5b8bf749d059ed3966dc7b6c4a67d265fc69b Mon Sep 17 00:00:00 2001
From: esaunders <esaunders@basistech.com>
Date: Tue, 3 Dec 2019 17:28:38 -0500
Subject: [PATCH 2/2] Ensure that we don't attempt to index into an invalid
offset in imap_buf.
---
tsk/fs/ext2fs.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
index 5a480856..14715c11 100755
--- a/tsk/fs/ext2fs.c
+++ b/tsk/fs/ext2fs.c
@@ -1051,6 +1051,19 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
grp_num * tsk_getu32(fs->endian,
ext2fs->fs->s_inodes_per_group) + 1;
+ /*
+ * Ensure that inum - ibase refers to a valid offset in imap_buf.
+ */
+ if ((inum - ibase) > fs->block_size) {
+ tsk_release_lock(&ext2fs->lock);
+ free(dino_buf);
+ tsk_error_reset();
+ tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
+ tsk_error_set_errstr("%s: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
+ myname, inum, ibase);
+ return 1;
+ }
+
/*
* Apply the allocated/unallocated restriction.
*/
--

47
0003-Fix-bug-introduced-with-imap-offset-check.patch
View File

@ -1,47 +0,0 @@
From f7a20cf162a02a4ce5301eb6b27bbc53fd5998b5 Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Wed, 29 Apr 2020 15:47:01 -0400
Subject: [PATCH] Fix bug introduced with imap offset check
---
tsk/fs/ext2fs.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
index 45dd18c2..1f56c943 100755
--- a/tsk/fs/ext2fs.c
+++ b/tsk/fs/ext2fs.c
@@ -841,6 +841,20 @@ ext2fs_dinode_copy(EXT2FS_INFO * ext2fs, TSK_FS_META * fs_meta,
grp_num * tsk_getu32(fs->endian,
ext2fs->fs->s_inodes_per_group) + fs->first_inum;
+
+ /*
+ * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
+ */
+ if ((inum - ibase) > fs->block_size*8) {
+ tsk_release_lock(&ext2fs->lock);
+ tsk_error_reset();
+ tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
+ tsk_error_set_errstr("ext2fs_dinode_copy: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
+ inum, ibase);
+ return 1;
+ }
+
+
/*
* Apply the allocated/unallocated restriction.
*/
@@ -1052,9 +1066,9 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
ext2fs->fs->s_inodes_per_group) + 1;
/*
- * Ensure that inum - ibase refers to a valid offset in imap_buf.
+ * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
*/
- if ((inum - ibase) > fs->block_size) {
+ if ((inum - ibase) > fs->block_size*8) {
tsk_release_lock(&ext2fs->lock);
free(dino_buf);
tsk_error_reset();
--

24
0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
View File

@ -1,24 +0,0 @@
From 109ca428154925f6e031fbc817b48e9dc578f8db Mon Sep 17 00:00:00 2001
From: esaunders <esaunders@basistech.com>
Date: Tue, 14 Jan 2020 15:45:44 -0500
Subject: [PATCH] Cast attrseq address to uintptr_t so that the correct type
can be inferred for the + operator.
---
tsk/fs/ntfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index 837033ea..eeff809e 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -1770,7 +1770,7 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
// sanity check on bounds of attribute. Prevents other
// issues later on that use attr->len for bounds checks.
if (((uintptr_t) attr + tsk_getu32(fs->endian,
- attr->len)) > (uintptr_t) (a_attrseq + len)) {
+ attr->len)) > (uintptr_t)a_attrseq + len) {
break;
}
--

62
0005-Fix-Fuzz-buffer-overflow.patch
View File

@ -1,62 +0,0 @@
diff -Nur sleuthkit-4.6.7/tsk/fs/ext2fs.c sleuthkit-4.6.7.new/tsk/fs/ext2fs.c
--- sleuthkit-4.6.7/tsk/fs/ext2fs.c 2020-12-16 14:43:46.929902964 +0800
+++ sleuthkit-4.6.7.new/tsk/fs/ext2fs.c 2020-12-16 14:54:44.211056190 +0800
@@ -1021,8 +1021,10 @@
if ((fs_file = tsk_fs_file_alloc(fs)) == NULL)
return 1;
if ((fs_file->meta =
- tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL)
+ tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL) {
+ tsk_fs_file_close(fs_file);
return 1;
+ }
// we need to handle fs->last_inum specially because it is for the
// virtual ORPHANS directory. Handle it outside of the loop.
@@ -1038,6 +1040,7 @@
ext2fs->inode_size >
sizeof(ext2fs_inode) ? ext2fs->inode_size : sizeof(ext2fs_inode);
if ((dino_buf = (ext2fs_inode *) tsk_malloc(size)) == NULL) {
+ tsk_fs_file_close(fs_file);
return 1;
}
@@ -1058,6 +1061,7 @@
if (ext2fs_imap_load(ext2fs, grp_num)) {
tsk_release_lock(&ext2fs->lock);
+ tsk_fs_file_close(fs_file);
free(dino_buf);
return 1;
}
@@ -1068,8 +1072,9 @@
/*
* Ensure that inum - ibase refers to a valid bit offset in imap_buf.
*/
- if ((inum - ibase) > fs->block_size*8) {
+ if ((inum - ibase) >= fs->block_size*8) {
tsk_release_lock(&ext2fs->lock);
+ tsk_fs_file_close(fs_file);
free(dino_buf);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
@@ -1120,7 +1125,7 @@
* to the application.
*/
if (ext2fs_dinode_copy(ext2fs, fs_file->meta, inum, dino_buf)) {
- tsk_fs_meta_close(fs_file->meta);
+ tsk_fs_file_close(fs_file);
free(dino_buf);
return 1;
}
diff -Nur sleuthkit-4.6.7/tsk/fs/unix_misc.c sleuthkit-4.6.7.new/tsk/fs/unix_misc.c
--- sleuthkit-4.6.7/tsk/fs/unix_misc.c 2019-08-03 04:20:57.000000000 +0800
+++ sleuthkit-4.6.7.new/tsk/fs/unix_misc.c 2020-12-16 14:56:46.852764086 +0800
@@ -180,6 +180,7 @@
}
tsk_error_set_errstr2("unix_make_data_run_indir: Block %"
PRIuDADDR, addr);
+ free(data_run);
return -1;
}
}

24
0006-Add-attributes-file-nodesize-check.patch
View File

@ -1,18 +1,18 @@
From 6d709c18097b2b60a8583baf0714648a363b724e Mon Sep 17 00:00:00 2001
From 1e5d36e31edc7a46d3cea0c1e65941f9dc753fc3 Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Fri, 18 Dec 2020 10:52:36 +0800
Subject: [PATCH] Add attributes file nodesize check
---
tsk/fs/hfs.c | 11 +++++++++++
1 file changed, 11 insertions(+)
tsk/fs/hfs.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 43dc2a9..636c4b7 100644
index 3acc7ff..2f513cd 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -3970,6 +3970,18 @@ hfs_load_extended_attrs(TSK_FS_FILE * fs_file,
return 0;
@@ -3922,6 +3922,18 @@ hfs_load_extended_attrs(TSK_FS_FILE * fs_file,
return 1;
}
+ // Is the Attributes file nodesize valid?
@ -20,16 +20,16 @@ index 43dc2a9..636c4b7 100644
+ if (attrFile.nodeSize < 512 || attrFile.nodeSize > 32768) {
+ if (tsk_verbose)
+ tsk_fprintf(stderr,
+ "hfs_load_extended_attrs: Attributes file nodesize is invalid\n");
+ close_attr_file(&attrFile);
+ *isCompressed = FALSE;
+ *cmpType = 0;
+ return 0;
+ "hfs_load_extended_attrs: Attributes file nodesize is invalid\n");
+ close_attr_file(&attrFile);
+ *isCompressed = FALSE;
+ *cmpType = 0;
+ return 0;
+ }
+
// A place to hold one node worth of data
nodeData = (uint8_t *) malloc(attrFile.nodeSize);
if (nodeData == NULL) {
--
2.23.0
2.27.0

99
0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
View File

@ -1,99 +0,0 @@
From 2701739f8ad80d14c36de1e3a7a35bd792fceabb Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Wed, 28 Apr 2021 09:40:47 +0200
Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse #1401
---
tsk/fs/hfs.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 22618534ee..003db5a950 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -469,6 +469,16 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
size_t rec_off;
hfs_btree_key_ext *key;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_ext_find_extent_record: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
@@ -554,11 +564,21 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
int keylen;
TSK_FS_ATTR_RUN *attr_run;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
@@ -821,11 +841,21 @@ hfs_cat_traverse(HFS_INFO * hfs,
uint8_t retval;
int keylen;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_cat_traverse: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"
@@ -931,11 +961,21 @@ hfs_cat_traverse(HFS_INFO * hfs,
uint8_t retval;
int keylen;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_cat_traverse: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"

14
0008-left-shift.patch
View File

@ -1,4 +1,4 @@
From 86b8f475811a20a477801a50eada3b43fb3129ea Mon Sep 17 00:00:00 2001
From 1260a66b8fe7400250d33f98fcbce0fa848bfc09 Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Wed, 2 Jun 2021 19:18:22 +0800
Subject: [PATCH] create patch
@ -8,10 +8,10 @@ Subject: [PATCH] create patch
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/tsk/base/tsk_base_i.h b/tsk/base/tsk_base_i.h
index 147ef13..de86b32 100644
index ffa5cf3..c022302 100644
--- a/tsk/base/tsk_base_i.h
+++ b/tsk/base/tsk_base_i.h
@@ -79,8 +79,8 @@ extern "C" {
@@ -85,8 +85,8 @@ extern "C" {
*/
#define tsk_getu16(endian, x) \
(uint16_t)(((endian) == TSK_LIT_ENDIAN) ? \
@ -22,7 +22,7 @@ index 147ef13..de86b32 100644
/** \internal
* Read a 16-bit signed value.
@@ -99,8 +99,8 @@ extern "C" {
@@ -105,8 +105,8 @@ extern "C" {
*/
#define tsk_getu24(endian, x) \
(uint32_t)(((endian) == TSK_LIT_ENDIAN) ? \
@ -33,14 +33,14 @@ index 147ef13..de86b32 100644
@@ -112,15 +112,15 @@ extern "C" {
@@ -118,15 +118,15 @@ extern "C" {
*/
#define tsk_getu32(endian, x) \
(uint32_t)( ((endian) == TSK_LIT_ENDIAN) ? \
- ((((uint8_t *)(x))[0] << 0) + \
- (((uint8_t *)(x))[1] << 8) + \
- (((uint8_t *)(x))[2] << 16) + \
- (((uint8_t *)(x))[3] << 24) ) \
- ((uint32_t)((uint8_t *)(x))[3] << 24) ) \
+ (((unsigned int)(((uint8_t *)(x))[0]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 16) + \
@ -49,7 +49,7 @@ index 147ef13..de86b32 100644
- ((((uint8_t *)(x))[3] << 0) + \
- (((uint8_t *)(x))[2] << 8) + \
- (((uint8_t *)(x))[1] << 16) + \
- (((uint8_t *)(x))[0] << 24) ) )
- ((uint32_t)((uint8_t *)(x))[0] << 24) ) )
+ (((unsigned int)(((uint8_t *)(x))[3]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 16) + \

79
0009-fix-memleak-in-ntfs.patch
View File

@ -1,79 +0,0 @@
From f7f44f8d321628d0a9d960d4183d2eba63ed29ed Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Thu, 22 Apr 2021 20:29:46 +0200
Subject: [PATCH] Fixed leak in error path #1190
---
tsk/fs/ntfs.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index f55b849..e82abae 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -592,7 +592,8 @@ ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
int64_t addr_offset = 0;
/* allocate a new tsk_fs_attr_run */
- if ((data_run = tsk_fs_attr_run_alloc()) == NULL) {
+ data_run = tsk_fs_attr_run_alloc();
+ if (data_run == NULL) {
tsk_fs_attr_run_free(*a_data_run_head);
*a_data_run_head = NULL;
return TSK_ERR;
@@ -2015,8 +2016,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_set_errno(TSK_ERR_FS_CORRUPT);
tsk_error_set_errstr("ntfs_proc_attrseq: Compression unit size 2^%d too large",
tsk_getu16(fs->endian, attr->c.nr.compusize));
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
@@ -2056,9 +2059,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
TSK_FS_ATTR_RES)) == NULL) {
tsk_error_errstr2_concat(" - proc_attrseq: getnew");
// JRB: Coverity found leak.
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
- fs_attr_run = NULL;
+ fs_attr_run = NULL;
+ }
return TSK_ERR;
}
@@ -2098,10 +2102,15 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_errstr2_concat("- proc_attrseq: set run");
// If the run wasn't saved to the attribute, free it now
- if (fs_attr_run && (fs_attr->nrd.run == NULL))
+ if (fs_attr_run && (fs_attr->nrd.run == NULL)) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
+ // fs_file has taken over managerment of fs_attr_run
+ fs_attr_run = NULL;
+
// set the special functions
if (fs_file->meta->flags & TSK_FS_META_FLAG_COMP) {
fs_attr->w = ntfs_attr_walk_special;
@@ -2112,6 +2121,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
else {
if (tsk_fs_attr_add_run(fs, fs_attr, fs_attr_run)) {
tsk_error_errstr2_concat(" - proc_attrseq: put run");
+ if (fs_attr_run) {
+ tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
}
--
2.30.0

24
0010-Fixed-HFS-BTree-key-OOB-read.patch
View File

@ -1,24 +0,0 @@
From 0954034dc1ac757cfc125539c41cc2b42525b303 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Tue, 27 Apr 2021 06:22:02 +0200
Subject: [PATCH] Fixed HFS BTree key OOB read
---
tsk/fs/hfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 2935fc50e3..d3b92aaad7 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -976,7 +976,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ // Need at least 2 bytes for key_len
+ if (rec_off >= nodesize - 2) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"

43
0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
View File

@ -1,43 +0,0 @@
From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 1 May 2021 07:46:49 +0200
Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse
---
tsk/fs/hfs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index e3221152b7..01259cee2d 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) {
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %"
@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ // Need at least 2 bytes for key_len
+ if (rec_off >= nodesize - 2) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"

240
0012-fix_oob_read8.patch
View File

@ -1,240 +0,0 @@
From bd5af353d9a6d8f936d59c2fda57cf7eb14c48f5 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 1 May 2021 08:36:06 +0200
Subject: [PATCH] fix_oob_read8
---
tsk/fs/hfs.c | 28 ++++++++++++++++-------
tsk/fs/hfs_dent.c | 2 +-
tsk/fs/hfs_unicompare.c | 50 ++++++++++++++++++++++++++++++++---------
tsk/fs/tsk_hfs.h | 4 ++--
4 files changed, 63 insertions(+), 21 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index e3221152b..8ac63b016 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -707,11 +707,17 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
*/
int
hfs_cat_compare_keys(HFS_INFO * hfs, const hfs_btree_key_cat * key1,
- const hfs_btree_key_cat * key2)
+ int keylen1, const hfs_btree_key_cat * key2)
{
TSK_FS_INFO *fs = (TSK_FS_INFO *) & (hfs->fs_info);
uint32_t cnid1, cnid2;
+ if (keylen1 < 6) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
cnid1 = tsk_getu32(fs->endian, key1->parent_cnid);
cnid2 = tsk_getu32(fs->endian, key2->parent_cnid);
@@ -720,7 +726,7 @@ hfs_cat_compare_keys(HFS_INFO * hfs, const hfs_btree_key_cat * key1,
if (cnid1 > cnid2)
return 1;
- return hfs_unicode_compare(hfs, &key1->name, &key2->name);
+ return hfs_unicode_compare(hfs, &key1->name, keylen1 - 6, &key2->name);
}
@@ -890,7 +896,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
/* save the info from this record unless it is too big */
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key,
+ a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_ERR) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
@@ -1012,7 +1018,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
// rec_cnid = tsk_getu32(fs->endian, key->file_id);
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key,
+ a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_LEAF_STOP) {
is_done = 1;
@@ -1058,7 +1064,7 @@ typedef struct {
static uint8_t
hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
HFS_CAT_GET_RECORD_OFFSET_DATA *offset_data = (HFS_CAT_GET_RECORD_OFFSET_DATA *)ptr;
@@ -1073,14 +1079,14 @@ hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
tsk_getu32(hfs->fs_info.endian, cur_key->parent_cnid));
if (level_type == HFS_BT_NODE_TYPE_IDX) {
- int diff = hfs_cat_compare_keys(hfs, cur_key, targ_key);
+ int diff = hfs_cat_compare_keys(hfs, cur_key, cur_keylen, targ_key);
if (diff < 0)
return HFS_BTREE_CB_IDX_LT;
else
return HFS_BTREE_CB_IDX_EQGT;
}
else {
- int diff = hfs_cat_compare_keys(hfs, cur_key, targ_key);
+ int diff = hfs_cat_compare_keys(hfs, cur_key, cur_keylen, targ_key);
// see if this record is for our file or if we passed the interesting entries
if (diff < 0) {
@@ -1653,9 +1659,15 @@ hfs_cat_file_lookup(HFS_INFO * hfs, TSK_INUM_T inum, HFS_ENTRY * entry,
static uint8_t
hfs_find_highest_inum_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
+ if (cur_keylen < 6) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
// NOTE: This assumes that the biggest inum is the last one that we
// see. the traverse method does not currently promise that as part of
// its callback "contract".
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index e4cebf8a4..495588642 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -198,7 +198,7 @@ typedef struct {
static uint8_t
hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
HFS_DIR_OPEN_META_INFO *info = (HFS_DIR_OPEN_META_INFO *) ptr;
diff --git a/tsk/fs/hfs_unicompare.c b/tsk/fs/hfs_unicompare.c
index 752486af0..91d528b88 100644
--- a/tsk/fs/hfs_unicompare.c
+++ b/tsk/fs/hfs_unicompare.c
@@ -109,7 +109,7 @@
#include "tsk_hfs.h"
static int hfs_unicode_compare_int(uint16_t endian,
- const hfs_uni_str * uni1, const hfs_uni_str * uni2);
+ const hfs_uni_str * uni1, int uni1_len, const hfs_uni_str * uni2);
/**
@@ -124,18 +124,31 @@ static int hfs_unicode_compare_int(uint16_t endian,
*/
int
hfs_unicode_compare(HFS_INFO * hfs, const hfs_uni_str * uni1,
- const hfs_uni_str * uni2)
+ int uni1_len, const hfs_uni_str * uni2)
{
if (hfs->is_case_sensitive) {
uint16_t l1, l2;
const uint8_t *s1, *s2;
uint16_t c1, c2;
+ if (uni1_len < 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
l1 = tsk_getu16(hfs->fs_info.endian, uni1->length);
l2 = tsk_getu16(hfs->fs_info.endian, uni2->length);
s1 = uni1->unicode;
s2 = uni2->unicode;
+ // Note that l1 contains number of UTF-16 "characters" and uni1_len number of bytes.
+ if (l1 > (uni1_len - 2) / 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
while (1) {
if ((l1 == 0) && (l2 == 0))
return 0;
@@ -157,7 +170,7 @@ hfs_unicode_compare(HFS_INFO * hfs, const hfs_uni_str * uni1,
return 0;
}
else
- return hfs_unicode_compare_int(hfs->fs_info.endian, uni1, uni2);
+ return hfs_unicode_compare_int(hfs->fs_info.endian, uni1, uni1_len, uni2);
}
extern uint16_t gLowerCaseTable[];
@@ -169,17 +182,34 @@ extern uint16_t gLowerCaseTable[];
*/
static int
hfs_unicode_compare_int(uint16_t endian, const hfs_uni_str * uni1,
- const hfs_uni_str * uni2)
+ int uni1_len, const hfs_uni_str * uni2)
{
uint16_t c1, c2;
uint16_t temp;
uint16_t *lowerCaseTable;
-
- const uint8_t *str1 = uni1->unicode;
- const uint8_t *str2 = uni2->unicode;
- uint16_t length1 = tsk_getu16(endian, uni1->length);
- uint16_t length2 = tsk_getu16(endian, uni2->length);
-
+ const uint8_t *str1 = NULL;
+ const uint8_t *str2 = NULL;
+ uint16_t length1 = 0;
+ uint16_t length2 = 0;
+
+ if (uni1_len < 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
+ str1 = uni1->unicode;
+ str2 = uni2->unicode;
+ length1 = tsk_getu16(endian, uni1->length);
+ length2 = tsk_getu16(endian, uni2->length);
+
+ // Note that length1 contains number of UTF-16 "characters" and uni1_len number of bytes.
+ if (length1 > (uni1_len - 2) / 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
lowerCaseTable = gLowerCaseTable;
while (1) {
diff --git a/tsk/fs/tsk_hfs.h b/tsk/fs/tsk_hfs.h
index 7becb2ab3..4437b1c5a 100644
--- a/tsk/fs/tsk_hfs.h
+++ b/tsk/fs/tsk_hfs.h
@@ -734,7 +734,7 @@ extern uint8_t hfs_UTF16toUTF8(TSK_FS_INFO *, uint8_t *, int, char *, int,
uint32_t);
extern int hfs_unicode_compare(HFS_INFO *, const hfs_uni_str *,
- const hfs_uni_str *);
+ int, const hfs_uni_str *);
extern uint16_t hfs_get_idxkeylen(HFS_INFO * hfs, uint16_t keylen,
const hfs_btree_header_record * header);
@@ -765,7 +765,7 @@ extern char hfs_is_hard_link(TSK_FS_INFO * fs, TSK_INUM_T inum);
* @param ptr Pointer to data that was passed into parent
*/
typedef uint8_t(*TSK_HFS_BTREE_CB) (HFS_INFO *, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr);
// return values for callback
#define HFS_BTREE_CB_IDX_LT 1 // current key is less than target (keeps looking in node)
--
2.33.0

100
0013-fix_oob_read13.patch
View File

@ -1,100 +0,0 @@
From 6bac602fc47bd668fb0b8c14ce64c073ecc2de63 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 18 Jun 2021 13:52:41 +0200
Subject: [PATCH] fix_oob_read13
---
tsk/fs/hfs.c | 8 ++++----
tsk/fs/hfs_dent.c | 14 +++++++++++++-
tsk/fs/tsk_hfs.h | 2 +-
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 8ac63b016..95d178031 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -896,7 +896,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
/* save the info from this record unless it is too big */
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_ERR) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
@@ -1018,7 +1018,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
// rec_cnid = tsk_getu32(fs->endian, key->file_id);
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_LEAF_STOP) {
is_done = 1;
@@ -1064,7 +1064,7 @@ typedef struct {
static uint8_t
hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
HFS_CAT_GET_RECORD_OFFSET_DATA *offset_data = (HFS_CAT_GET_RECORD_OFFSET_DATA *)ptr;
@@ -1659,7 +1659,7 @@ hfs_cat_file_lookup(HFS_INFO * hfs, TSK_INUM_T inum, HFS_ENTRY * entry,
static uint8_t
hfs_find_highest_inum_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
if (cur_keylen < 6) {
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index 495588642..b88627e53 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -198,7 +198,7 @@ typedef struct {
static uint8_t
hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t nodesize,
TSK_OFF_T key_off, void *ptr)
{
HFS_DIR_OPEN_META_INFO *info = (HFS_DIR_OPEN_META_INFO *) ptr;
@@ -233,7 +233,19 @@ hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
cur_key->parent_cnid) > info->cnid) {
return HFS_BTREE_CB_LEAF_STOP;
}
+ // Need at least 2 bytes for key_len
+ if (cur_keylen < 2) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: cur_keylen value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_off2 = 2 + tsk_getu16(hfs->fs_info.endian, cur_key->key_len);
+
+ if ((nodesize < 2) || (rec_off2 >= nodesize - 2)) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: nodesize value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_type = tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2]);
// Catalog entry is for a file
diff --git a/tsk/fs/tsk_hfs.h b/tsk/fs/tsk_hfs.h
index 4437b1c5a..2530e0cfe 100644
--- a/tsk/fs/tsk_hfs.h
+++ b/tsk/fs/tsk_hfs.h
@@ -765,7 +765,7 @@ extern char hfs_is_hard_link(TSK_FS_INFO * fs, TSK_INUM_T inum);
* @param ptr Pointer to data that was passed into parent
*/
typedef uint8_t(*TSK_HFS_BTREE_CB) (HFS_INFO *, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr);
// return values for callback
#define HFS_BTREE_CB_IDX_LT 1 // current key is less than target (keeps looking in node)
--
2.33.0

28
0014-Fixed-OOB-reads-in-hfs_dir_open_meta_cb.patch
View File

@ -1,28 +0,0 @@
From beb68f543261a28ee25b945bb79d39213decd2cd Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 18 Jun 2021 16:34:18 +0200
Subject: [PATCH] Fixed OOB reads in hfs_dir_open_meta_cb
---
tsk/fs/hfs_dent.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index b88627e53..54460f14b 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -295,6 +295,11 @@ hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
/* This is a normal file in the folder */
else if (rec_type == HFS_FILE_RECORD) {
+ if ((nodesize < sizeof(hfs_file)) || (rec_off2 >= nodesize - sizeof(hfs_file))) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: nodesize value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
hfs_file *file = (hfs_file *) & rec_buf[rec_off2];
// This could be a hard link. We need to test this CNID, and follow it if necessary.
unsigned char is_err;
--
2.33.0

BIN
sleuthkit-4.12.1.tar.gz Normal file
View File

Binary file not shown.

BIN
sleuthkit-4.6.7.tar.gz
View File

Binary file not shown.

34
sleuthkit.spec
View File

@ -1,30 +1,15 @@
Name: sleuthkit
Version: 4.6.7
Release: 11
Version: 4.12.1
Release: 1
Summary: Tools for file system and volume forensic analysis
License: CPL and IBM and GPLv2+
URL: http://www.sleuthkit.org
Source0: https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
Patch0001: 0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
Patch0002: 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
Patch0003: 0003-Fix-bug-introduced-with-imap-offset-check.patch
Patch0004: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
Patch0005: 0005-Fix-Fuzz-buffer-overflow.patch
Patch0006: 0006-Add-attributes-file-nodesize-check.patch
Patch0007: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
Patch0008: 0008-left-shift.patch
Patch0009: 0009-fix-memleak-in-ntfs.patch
Patch0010: 0010-Fixed-HFS-BTree-key-OOB-read.patch
Patch0011: 0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/bd5af353d9a6d8f936d59c2fda57cf7eb14c48f5
Patch0012: 0012-fix_oob_read8.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/6bac602fc47bd668fb0b8c14ce64c073ecc2de63
Patch0013: 0013-fix_oob_read13.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/beb68f543261a28ee25b945bb79d39213decd2cd
Patch0014: 0014-Fixed-OOB-reads-in-hfs_dir_open_meta_cb.patch
Patch0001: 0006-Add-attributes-file-nodesize-check.patch
Patch0002: 0008-left-shift.patch
BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel libtool autoconf
%{?_with_java:
BuildRequires: java-devel >= 1:1.6.0 jpackage-utils
@ -61,6 +46,7 @@ The help package contains manual pages and other related files for %{name}.
%prep
%autosetup -n %{name}-%{version} -p1
autoreconf -vif
%build
%configure --disable-static %{!?_with_java:--disable-java}
@ -82,8 +68,8 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%exclude %{_bindir}/fcat
%{_bindir}/{ffind,fiwalk,fls,fsstat,hfind,icat}
%{_bindir}/{ifind,ils,img_cat,img_stat,istat,jcat,sorter}
%{_bindir}/{jpeg_extract,jls,mactime,mmcat,mmls,mmstat,sigfind}
%{_bindir}/{srch_strings,tsk_comparedir,tsk_gettimes,tsk_loaddb,tsk_recover,usnjls}
%{_bindir}/{jpeg_extract,jls,mactime,mmcat,mmls,mmstat,pstat,sigfind}
%{_bindir}/{srch_strings,tsk_comparedir,tsk_gettimes,tsk_imageinfo,tsk_loaddb,tsk_recover,usnjls}
%exclude %{_mandir}/man1/fcat.1*
%dir %{_datadir}/tsk
%{_datadir}/tsk/sorter/
@ -92,11 +78,15 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%files devel
%{_includedir}/tsk/
%{_libdir}/*.so
%{_libdir}/pkgconfig/tsk.pc
%files help
%{_mandir}/man1/*
%changelog
* Mon Oct 16 2023 wulei <wu_lei@hoperun.com> - 4.12.1-1
- Update to 4.12.1
* Thu Mar 10 2022 xuping <xuping33@huawei.com> - 4.6.7-11
- Fixed OOB read in hfs_dir_open_meta_cb