fix oss-fuzz heap-overflow

2020-12-16 15:40:24 +08:00 · 2020-12-16 15:40:24 +08:00 · aabf1754d6
commit aabf1754d6
parent 36825ab4ec
5 changed files with 179 additions and 1 deletions
--- a/0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
+++ b/0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
@ -0,0 +1,35 @@
 From 77a5b8bf749d059ed3966dc7b6c4a67d265fc69b Mon Sep 17 00:00:00 2001
 From: esaunders <esaunders@basistech.com>
 Date: Tue, 3 Dec 2019 17:28:38 -0500
 Subject: [PATCH 2/2] Ensure that we don't attempt to index into an invalid
 offset in imap_buf.
 ---
 tsk/fs/ext2fs.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
 index 5a480856..14715c11 100755
 --- a/tsk/fs/ext2fs.c
 +++ b/tsk/fs/ext2fs.c
@@ -1051,6 +1051,19 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
             grp_num * tsk_getu32(fs->endian,
             ext2fs->fs->s_inodes_per_group) + 1;
 +        /*
 +         * Ensure that inum - ibase refers to a valid offset in imap_buf.
 +         */
 +        if ((inum - ibase) > fs->block_size) {
 +            tsk_release_lock(&ext2fs->lock);
 +            free(dino_buf);
 +            tsk_error_reset();
 +            tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
 +            tsk_error_set_errstr("%s: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
 +                myname, inum, ibase);
 +            return 1;
 +        }
 +
         /*
          * Apply the allocated/unallocated restriction.
          */
 -- 
--- a/0003-Fix-bug-introduced-with-imap-offset-check.patch
+++ b/0003-Fix-bug-introduced-with-imap-offset-check.patch
@ -0,0 +1,47 @@
 From f7a20cf162a02a4ce5301eb6b27bbc53fd5998b5 Mon Sep 17 00:00:00 2001
 From: Brian Carrier <carrier@sleuthkit.org>
 Date: Wed, 29 Apr 2020 15:47:01 -0400
 Subject: [PATCH] Fix bug introduced with imap offset check
 ---
 tsk/fs/ext2fs.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)
 diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
 index 45dd18c2..1f56c943 100755
 --- a/tsk/fs/ext2fs.c
 +++ b/tsk/fs/ext2fs.c
@@ -841,6 +841,20 @@ ext2fs_dinode_copy(EXT2FS_INFO * ext2fs, TSK_FS_META * fs_meta,
         grp_num * tsk_getu32(fs->endian,
         ext2fs->fs->s_inodes_per_group) + fs->first_inum;
 +
 +    /*
 +     * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
 +     */
 +    if ((inum - ibase) > fs->block_size*8) {
 +        tsk_release_lock(&ext2fs->lock);
 +        tsk_error_reset();
 +        tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
 +        tsk_error_set_errstr("ext2fs_dinode_copy: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
 +            inum, ibase);
 +        return 1;
 +    }
 +
 +
     /*
      * Apply the allocated/unallocated restriction.
      */
@@ -1052,9 +1066,9 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
             ext2fs->fs->s_inodes_per_group) + 1;
         /*
 -         * Ensure that inum - ibase refers to a valid offset in imap_buf.
 +         * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
          */
 -        if ((inum - ibase) > fs->block_size) {
 +        if ((inum - ibase) > fs->block_size*8) {
             tsk_release_lock(&ext2fs->lock);
             free(dino_buf);
             tsk_error_reset();
 -- 
--- a/0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
+++ b/0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
@ -0,0 +1,24 @@
 From 109ca428154925f6e031fbc817b48e9dc578f8db Mon Sep 17 00:00:00 2001
 From: esaunders <esaunders@basistech.com>
 Date: Tue, 14 Jan 2020 15:45:44 -0500
 Subject: [PATCH] Cast attrseq address to uintptr_t so that the correct type
 can be inferred for the + operator.
 ---
 tsk/fs/ntfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
 index 837033ea..eeff809e 100755
 --- a/tsk/fs/ntfs.c
 +++ b/tsk/fs/ntfs.c
@@ -1770,7 +1770,7 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
         // sanity check on bounds of attribute. Prevents other
         // issues later on that use attr->len for bounds checks.
         if (((uintptr_t) attr + tsk_getu32(fs->endian,
 -                               attr->len)) > (uintptr_t) (a_attrseq + len)) {
 +                               attr->len)) > (uintptr_t)a_attrseq + len) {
             break;
         }
 -- 
--- a/0005-Fix-Fuzz-buffer-overflow.patch
+++ b/0005-Fix-Fuzz-buffer-overflow.patch
@ -0,0 +1,62 @@
 diff -Nur sleuthkit-4.6.7/tsk/fs/ext2fs.c sleuthkit-4.6.7.new/tsk/fs/ext2fs.c
 --- sleuthkit-4.6.7/tsk/fs/ext2fs.c	2020-12-16 14:43:46.929902964 +0800
 +++ sleuthkit-4.6.7.new/tsk/fs/ext2fs.c	2020-12-16 14:54:44.211056190 +0800
@@ -1021,8 +1021,10 @@
     if ((fs_file = tsk_fs_file_alloc(fs)) == NULL)
         return 1;
     if ((fs_file->meta =
 -            tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL)
 +            tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL) {
 +        tsk_fs_file_close(fs_file);
         return 1;
 +    }
     // we need to handle fs->last_inum specially because it is for the
     // virtual ORPHANS directory.  Handle it outside of the loop.
@@ -1038,6 +1040,7 @@
         ext2fs->inode_size >
         sizeof(ext2fs_inode) ? ext2fs->inode_size : sizeof(ext2fs_inode);
     if ((dino_buf = (ext2fs_inode *) tsk_malloc(size)) == NULL) {
 +        tsk_fs_file_close(fs_file);
         return 1;
     }
@@ -1058,6 +1061,7 @@
         if (ext2fs_imap_load(ext2fs, grp_num)) {
             tsk_release_lock(&ext2fs->lock);
 +            tsk_fs_file_close(fs_file);
             free(dino_buf);
             return 1;
         }
@@ -1068,8 +1072,9 @@
         /*
          * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
          */
 -        if ((inum - ibase) > fs->block_size*8) {
 +        if ((inum - ibase) >= fs->block_size*8) {
             tsk_release_lock(&ext2fs->lock);
 +            tsk_fs_file_close(fs_file);
             free(dino_buf);
             tsk_error_reset();
             tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
@@ -1120,7 +1125,7 @@
          * to the application.
          */
         if (ext2fs_dinode_copy(ext2fs, fs_file->meta, inum, dino_buf)) {
 -            tsk_fs_meta_close(fs_file->meta);
 +            tsk_fs_file_close(fs_file);
             free(dino_buf);
             return 1;
         }
 diff -Nur sleuthkit-4.6.7/tsk/fs/unix_misc.c sleuthkit-4.6.7.new/tsk/fs/unix_misc.c
 --- sleuthkit-4.6.7/tsk/fs/unix_misc.c	2019-08-03 04:20:57.000000000 +0800
 +++ sleuthkit-4.6.7.new/tsk/fs/unix_misc.c	2020-12-16 14:56:46.852764086 +0800
@@ -180,6 +180,7 @@
             }
             tsk_error_set_errstr2("unix_make_data_run_indir: Block %"
                 PRIuDADDR, addr);
 +            free(data_run);
             return -1;
         }
     }
--- a/sleuthkit.spec
+++ b/sleuthkit.spec
@ -1,12 +1,16 @@
 Name:           sleuthkit
 Version:        4.6.7
-Release:        3
+Release:        4
 Summary:        Tools for file system and volume forensic analysis
 License:        CPL and IBM and GPLv2+
 URL:            http://www.sleuthkit.org
 Source0:        https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
 Patch1:         0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
 Patch2:         0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
 Patch3:         0003-Fix-bug-introduced-with-imap-offset-check.patch
 Patch4:         0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
 Patch5:         0005-Fix-Fuzz-buffer-overflow.patch
 BuildRequires:  gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
@ -81,6 +85,12 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %{_mandir}/man1/*
 %changelog
 * Tue Dec 15 2020 Jiachen Fan <fanjiachen3@huawei.com> - 4.6.7-4
 - fix oss-fuzz heap over flow
 * Wed Dec 9 2020 Jiachen Fan <fanjiachen3@huawei.com> - 4.6.7-3
 - fix oss-fuzz memory leak
 * Fri Feb 21 2020 wangzhishun <wangzhishun1@huawei.com> - 4.6.7-2
 - Package init