packages/sleuthkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:ed7303580aed21a64d7dc5e91aa97b3a8bf720c3
Branches Tags
packages:main
...
compare: packages:6d2c20335ea0d714a365726c1123385abfba57d8
Branches Tags
packages:main

10 Commits
ed7303580a ... 6d2c20335e

Author SHA1 Message Date
openeuler-ci-bot
6d2c20335e !44 fix for invalid shift 
Merge pull request !44 from chen-jan/openEuler-20.03-LTS-SP3
 2021-12-16 08:39:00 +00:00
chen-jan
21809d1959 fix for invalid shift 2021-12-16 07:09:28 +00:00
openeuler-ci-bot
08eca74366 !43 修复hfs_ext_find_extent_record_attr函数堆溢出 
Merge pull request !43 from xu_ping/openEuler-20.03-LTS-SP3
 2021-12-13 11:05:44 +00:00
cherry530
6342ab363b Check avalable allocated space before attempting to case to a hfs_btree_key_ext. 
Signed-off-by: cherry530 <xuping33@huawei.com>
 2021-12-13 17:38:29 +08:00
openeuler-ci-bot
d1c6c012b7 !38 fix memleak in ntfs 
From: @ultra_planet
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-11-09 07:12:50 +00:00
lingsheng
f8cf3fb83e Fix memleak in ntfs 2021-09-01 17:28:41 +08:00
openeuler-ci-bot
ba47f364a9 !29 [sync] PR-27: fix issue 
From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-06-03 17:06:38 +08:00
caodongxia
23900ccdba fix issue 
(cherry picked from commit 4378d2177e36b8ae289d312a9e527068d999332b)
 2021-06-03 14:43:05 +08:00
openeuler-ci-bot
617e4085d1 !23 Fixed OOB reads in hfs_cat_traverse 
From: @ultra_planet
Reviewed-by: @maminjie,@small_leek
Signed-off-by: @small_leek
 2021-05-20 10:10:21 +08:00
lingsheng
2e578dd6d2 Fixed OOB reads in hfs_cat_traverse 2021-05-19 16:53:47 +08:00
6 changed files with 338 additions and 1 deletions
Show Stats Expand all files Collapse all files

99
0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch Normal file
View File

@ -0,0 +1,99 @@
From 2701739f8ad80d14c36de1e3a7a35bd792fceabb Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Wed, 28 Apr 2021 09:40:47 +0200
Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse #1401
---
tsk/fs/hfs.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 22618534ee..003db5a950 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -469,6 +469,16 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
size_t rec_off;
hfs_btree_key_ext *key;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_ext_find_extent_record: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
@@ -554,11 +564,21 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
int keylen;
TSK_FS_ATTR_RUN *attr_run;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
@@ -821,11 +841,21 @@ hfs_cat_traverse(HFS_INFO * hfs,
uint8_t retval;
int keylen;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_cat_traverse: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"
@@ -931,11 +961,21 @@ hfs_cat_traverse(HFS_INFO * hfs,
uint8_t retval;
int keylen;
+ // Make sure node is large enough, note that (rec + 1) * 2 is an offset
+ // relative to the end of node
+ if ((rec + 1) * 2 > (int) nodesize) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_cat_traverse: offset of record %d in leaf node %d too small (%"
+ PRIu16 ")", rec, cur_node, nodesize);
+ free(node);
+ return 1;
+ }
// get the record offset in the node
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off > nodesize) {
+ if (rec_off >= nodesize) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"

62
0008-left-shift.patch Normal file
View File

@ -0,0 +1,62 @@
From 86b8f475811a20a477801a50eada3b43fb3129ea Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Wed, 2 Jun 2021 19:18:22 +0800
Subject: [PATCH] create patch
---
tsk/base/tsk_base_i.h | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/tsk/base/tsk_base_i.h b/tsk/base/tsk_base_i.h
index 147ef13..de86b32 100644
--- a/tsk/base/tsk_base_i.h
+++ b/tsk/base/tsk_base_i.h
@@ -79,8 +79,8 @@ extern "C" {
*/
#define tsk_getu16(endian, x) \
(uint16_t)(((endian) == TSK_LIT_ENDIAN) ? \
- (((uint8_t *)(x))[0] + (((uint8_t *)(x))[1] << 8)) : \
- (((uint8_t *)(x))[1] + (((uint8_t *)(x))[0] << 8)) )
+ (((uint8_t *)(x))[0] + ((unsigned int)(((uint8_t *)(x))[1]) << 8)) : \
+ (((uint8_t *)(x))[1] + ((unsigned int)(((uint8_t *)(x))[0]) << 8)) )
/** \internal
* Read a 16-bit signed value.
@@ -99,8 +99,8 @@ extern "C" {
*/
#define tsk_getu24(endian, x) \
(uint32_t)(((endian) == TSK_LIT_ENDIAN) ? \
- (((uint8_t *)(x))[0] + (((uint8_t *)(x))[1] << 8) + (((uint8_t *)(x))[2] << 16)) : \
- (((uint8_t *)(x))[2] + (((uint8_t *)(x))[1] << 8) + (((uint8_t *)(x))[0] << 16)) )
+ (((uint8_t *)(x))[0] + ((unsigned int)(((uint8_t *)(x))[1]) << 8) + ((unsigned int)(((uint8_t *)(x))[2]) << 16)) : \
+ (((uint8_t *)(x))[2] + ((unsigned int)(((uint8_t *)(x))[1]) << 8) + ((unsigned int)(((uint8_t *)(x))[0]) << 16)) )
@@ -112,15 +112,15 @@ extern "C" {
*/
#define tsk_getu32(endian, x) \
(uint32_t)( ((endian) == TSK_LIT_ENDIAN) ? \
- ((((uint8_t *)(x))[0] << 0) + \
- (((uint8_t *)(x))[1] << 8) + \
- (((uint8_t *)(x))[2] << 16) + \
- (((uint8_t *)(x))[3] << 24) ) \
+ (((unsigned int)(((uint8_t *)(x))[0]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 16) + \
+ ((unsigned int)(((uint8_t *)(x))[3]) << 24) ) \
: \
- ((((uint8_t *)(x))[3] << 0) + \
- (((uint8_t *)(x))[2] << 8) + \
- (((uint8_t *)(x))[1] << 16) + \
- (((uint8_t *)(x))[0] << 24) ) )
+ (((unsigned int)(((uint8_t *)(x))[3]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 16) + \
+ ((unsigned int)(((uint8_t *)(x))[0]) << 24) ) )
/** \internal
* Read a 32-bit signed value.
--
2.27.0

36
Check-avalable-allocated-space-before-attempting-to.patch Normal file
View File

@ -0,0 +1,36 @@
From 716095714d159077258bcb8822e377e32b01e50d Mon Sep 17 00:00:00 2001
From: esaunders <esaunders@basistech.com>
Date: Tue, 3 Dec 2019 15:12:47 -0500
Subject: [PATCH] Check avaalable allocated space before attempting to case to
a hfs_btree_key_ext.
---
tsk/fs/hfs.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 8c268a53e..2c82bb971 100755
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -697,6 +697,18 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
free(node);
return 1;
}
+
+ // Check that the whole hfs_btree_key_ext structure is set
+ if (sizeof(hfs_btree_key_ext) > nodesize - rec_off) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr
+ ("hfs_ext_find_extent_record_attr: record %d in leaf node %d truncated (have %d vs %"
+ PRIu16 " bytes)", rec, cur_node, nodesize - (int)rec_off,
+ sizeof(hfs_btree_key_ext));
+ free(node);
+ return 1;
+ }
+
key = (hfs_btree_key_ext *) & node[rec_off];
if (tsk_verbose)
--
2.27.0

41
Fix-for-invalid-shift-issue-1088.patch Normal file
View File

@ -0,0 +1,41 @@
From f279cbffbdb462a85438d648d5d18790c0b2b3a0 Mon Sep 17 00:00:00 2001
From: esaunders <esaunders@basistech.com>
Date: Mon, 30 Dec 2019 13:17:30 -0500
Subject: [PATCH] Fix for invalid shift issue 1088.
---
tsk/fs/ntfs.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index 93ce4802d..837033ea5 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -652,10 +652,22 @@ ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
if (totlen)
*totlen += (data_run->len * ntfs->csize_b);
- /* Get the address of this run */
+ /* Get the address offset of this run.
+ * An address offset of more than eight bytes will not fit in the
+ * 64-bit addr_offset field (and is likely corrupt)
+ */
+ if (NTFS_RUNL_LENSZ(run) > 8) {
+ tsk_error_reset();
+ tsk_error_set_errno(TSK_ERR_FS_INODE_COR);
+ tsk_error_set_errstr
+ ("ntfs_make_run: Run address offset is too large to process");
+ tsk_fs_attr_run_free(*a_data_run_head);
+ *a_data_run_head = NULL;
+ return TSK_COR;
+ }
for (i = 0, data_run->addr = 0; i < NTFS_RUNL_OFFSZ(run); i++) {
//data_run->addr |= (run->buf[idx++] << (i * 8));
- addr_offset |= (run->buf[idx++] << (i * 8));
+ addr_offset |= ((int64_t)(run->buf[idx++]) << (i * 8));
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_make_data_run: Off idx: %i cur: %"
--
2.30.0

79
fix-memleak-in-ntfs.patch Normal file
View File

@ -0,0 +1,79 @@
From f7f44f8d321628d0a9d960d4183d2eba63ed29ed Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Thu, 22 Apr 2021 20:29:46 +0200
Subject: [PATCH] Fixed leak in error path #1190
---
tsk/fs/ntfs.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index f55b849..e82abae 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -592,7 +592,8 @@ ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
int64_t addr_offset = 0;
/* allocate a new tsk_fs_attr_run */
- if ((data_run = tsk_fs_attr_run_alloc()) == NULL) {
+ data_run = tsk_fs_attr_run_alloc();
+ if (data_run == NULL) {
tsk_fs_attr_run_free(*a_data_run_head);
*a_data_run_head = NULL;
return TSK_ERR;
@@ -2015,8 +2016,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_set_errno(TSK_ERR_FS_CORRUPT);
tsk_error_set_errstr("ntfs_proc_attrseq: Compression unit size 2^%d too large",
tsk_getu16(fs->endian, attr->c.nr.compusize));
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
@@ -2056,9 +2059,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
TSK_FS_ATTR_RES)) == NULL) {
tsk_error_errstr2_concat(" - proc_attrseq: getnew");
// JRB: Coverity found leak.
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
- fs_attr_run = NULL;
+ fs_attr_run = NULL;
+ }
return TSK_ERR;
}
@@ -2098,10 +2102,15 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_errstr2_concat("- proc_attrseq: set run");
// If the run wasn't saved to the attribute, free it now
- if (fs_attr_run && (fs_attr->nrd.run == NULL))
+ if (fs_attr_run && (fs_attr->nrd.run == NULL)) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
+ // fs_file has taken over managerment of fs_attr_run
+ fs_attr_run = NULL;
+
// set the special functions
if (fs_file->meta->flags & TSK_FS_META_FLAG_COMP) {
fs_attr->w = ntfs_attr_walk_special;
@@ -2112,6 +2121,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
else {
if (tsk_fs_attr_add_run(fs, fs_attr, fs_attr_run)) {
tsk_error_errstr2_concat(" - proc_attrseq: put run");
+ if (fs_attr_run) {
+ tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
}
--
2.30.0

22
sleuthkit.spec
View File

@ -1,6 +1,6 @@
Name: sleuthkit
Version: 4.6.7
Release: 5
Release: 10
Summary: Tools for file system and volume forensic analysis
License: CPL and IBM and GPLv2+
URL: http://www.sleuthkit.org
@ -12,6 +12,11 @@ Patch3: 0003-Fix-bug-introduced-with-imap-offset-check.patch
Patch4: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
Patch5: 0005-Fix-Fuzz-buffer-overflow.patch
Patch6: 0006-Add-attributes-file-nodesize-check.patch
Patch7: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
Patch8: 0008-left-shift.patch
Patch9: fix-memleak-in-ntfs.patch
Patch10: Check-avalable-allocated-space-before-attempting-to.patch
Patch11: Fix-for-invalid-shift-issue-1088.patch
BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
@ -86,6 +91,21 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%{_mandir}/man1/*
%changelog
* Thu Dec 16 2021 chenchen <chen_aka_jan@163.com> - 4.6.7-10
- fix for invalid shift
* Mon Dec 13 2021 xu_ping <xuping33@huawei.com> - 4.6.7-9
- Check avalable allocated space before attempting to case to a hfs_btree_key_ext.
* Thu Aug 26 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.6.7-8
- Fix memleak in ntfs
* Thu Jun 3 2021 caodongxia <caodongxia@huawei.com> - 4.6.7-7
- Fixed left shift
* Wed May 19 2021 lingsheng <lingsheng@huawei.com> - 4.6.7-6
- Fixed OOB reads in hfs_cat_traverse
* Fri Dec 18 2020 lingsheng <lingsheng@huawei.com> - 4.6.7-5
- Add attributes file nodesize check to fix heap overflow