packages/sleuthkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:6f95cc291186391efe693eb99e3d1de76e472d35
Branches Tags
packages:main
..
compare: packages:d9ffcdfc5ba8c25eeae1daed720e55063bcf1e91
Branches Tags
packages:main

10 Commits
6f95cc2911 ... d9ffcdfc5b

Author SHA1 Message Date
openeuler-ci-bot
d9ffcdfc5b
!52 License compliance rectification 
From: @starlet-dx 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2024-06-14 01:41:51 +00:00
starlet-dx
5a48c1c557 License compliance rectification 2024-06-13 10:34:20 +08:00
openeuler-ci-bot
2e6b232cf0
!47 [sync] PR-45: Fixed OOB reads in hfs_dir_open_meta_cb 
From: @openeuler-sync-bot 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd
 2022-07-30 07:20:54 +00:00
cherry530
2fc79850bd fix OOB read in hfs_dir_open_meta_cb 
Signed-off-by: cherry530 <xuping33@huawei.com>
(cherry picked from commit 56613e9603253a85c9bb19ca099ff6973043122c)
 2022-07-30 10:03:26 +08:00
openeuler-ci-bot
7e2e9e25dd !35 Fixed OOB reads in hfs_cat_traverse 
From: @ultra_planet
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-08-27 01:39:55 +00:00
lingsheng
1d8693a014 Fixed OOB reads in hfs_cat_traverse 2021-08-26 20:57:43 +08:00
openeuler-ci-bot
978fdb43e2 !33 fix memleak in ntfs 
From: @si-gui
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-08-26 12:08:15 +00:00
sunguoshuai
6b5bc94c56 fic memleak in ntfs 2021-08-26 18:13:37 +08:00
openeuler-ci-bot
c00aef0b12 !31 同步SP2修改(I3U1Q1)到master分支 
From: @caodongxia
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2021-06-15 08:09:43 +00:00
caodongxia
312ebf3b18 fix issue 2021-06-15 15:52:26 +08:00
8 changed files with 610 additions and 9 deletions
Show Stats Expand all files Collapse all files

62
0008-left-shift.patch Normal file
View File

@ -0,0 +1,62 @@
From 86b8f475811a20a477801a50eada3b43fb3129ea Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Wed, 2 Jun 2021 19:18:22 +0800
Subject: [PATCH] create patch
---
tsk/base/tsk_base_i.h | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/tsk/base/tsk_base_i.h b/tsk/base/tsk_base_i.h
index 147ef13..de86b32 100644
--- a/tsk/base/tsk_base_i.h
+++ b/tsk/base/tsk_base_i.h
@@ -79,8 +79,8 @@ extern "C" {
*/
#define tsk_getu16(endian, x) \
(uint16_t)(((endian) == TSK_LIT_ENDIAN) ? \
- (((uint8_t *)(x))[0] + (((uint8_t *)(x))[1] << 8)) : \
- (((uint8_t *)(x))[1] + (((uint8_t *)(x))[0] << 8)) )
+ (((uint8_t *)(x))[0] + ((unsigned int)(((uint8_t *)(x))[1]) << 8)) : \
+ (((uint8_t *)(x))[1] + ((unsigned int)(((uint8_t *)(x))[0]) << 8)) )
/** \internal
* Read a 16-bit signed value.
@@ -99,8 +99,8 @@ extern "C" {
*/
#define tsk_getu24(endian, x) \
(uint32_t)(((endian) == TSK_LIT_ENDIAN) ? \
- (((uint8_t *)(x))[0] + (((uint8_t *)(x))[1] << 8) + (((uint8_t *)(x))[2] << 16)) : \
- (((uint8_t *)(x))[2] + (((uint8_t *)(x))[1] << 8) + (((uint8_t *)(x))[0] << 16)) )
+ (((uint8_t *)(x))[0] + ((unsigned int)(((uint8_t *)(x))[1]) << 8) + ((unsigned int)(((uint8_t *)(x))[2]) << 16)) : \
+ (((uint8_t *)(x))[2] + ((unsigned int)(((uint8_t *)(x))[1]) << 8) + ((unsigned int)(((uint8_t *)(x))[0]) << 16)) )
@@ -112,15 +112,15 @@ extern "C" {
*/
#define tsk_getu32(endian, x) \
(uint32_t)( ((endian) == TSK_LIT_ENDIAN) ? \
- ((((uint8_t *)(x))[0] << 0) + \
- (((uint8_t *)(x))[1] << 8) + \
- (((uint8_t *)(x))[2] << 16) + \
- (((uint8_t *)(x))[3] << 24) ) \
+ (((unsigned int)(((uint8_t *)(x))[0]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 16) + \
+ ((unsigned int)(((uint8_t *)(x))[3]) << 24) ) \
: \
- ((((uint8_t *)(x))[3] << 0) + \
- (((uint8_t *)(x))[2] << 8) + \
- (((uint8_t *)(x))[1] << 16) + \
- (((uint8_t *)(x))[0] << 24) ) )
+ (((unsigned int)(((uint8_t *)(x))[3]) << 0) + \
+ ((unsigned int)(((uint8_t *)(x))[2]) << 8) + \
+ ((unsigned int)(((uint8_t *)(x))[1]) << 16) + \
+ ((unsigned int)(((uint8_t *)(x))[0]) << 24) ) )
/** \internal
* Read a 32-bit signed value.
--
2.27.0

79
0009-fix-memleak-in-ntfs.patch Normal file
View File

@ -0,0 +1,79 @@
From f7f44f8d321628d0a9d960d4183d2eba63ed29ed Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Thu, 22 Apr 2021 20:29:46 +0200
Subject: [PATCH] Fixed leak in error path #1190
---
tsk/fs/ntfs.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index f55b849..e82abae 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -592,7 +592,8 @@ ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
int64_t addr_offset = 0;
/* allocate a new tsk_fs_attr_run */
- if ((data_run = tsk_fs_attr_run_alloc()) == NULL) {
+ data_run = tsk_fs_attr_run_alloc();
+ if (data_run == NULL) {
tsk_fs_attr_run_free(*a_data_run_head);
*a_data_run_head = NULL;
return TSK_ERR;
@@ -2015,8 +2016,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_set_errno(TSK_ERR_FS_CORRUPT);
tsk_error_set_errstr("ntfs_proc_attrseq: Compression unit size 2^%d too large",
tsk_getu16(fs->endian, attr->c.nr.compusize));
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
@@ -2056,9 +2059,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
TSK_FS_ATTR_RES)) == NULL) {
tsk_error_errstr2_concat(" - proc_attrseq: getnew");
// JRB: Coverity found leak.
- if (fs_attr_run)
+ if (fs_attr_run) {
tsk_fs_attr_run_free(fs_attr_run);
- fs_attr_run = NULL;
+ fs_attr_run = NULL;
+ }
return TSK_ERR;
}
@@ -2098,10 +2102,15 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
tsk_error_errstr2_concat("- proc_attrseq: set run");
// If the run wasn't saved to the attribute, free it now
- if (fs_attr_run && (fs_attr->nrd.run == NULL))
+ if (fs_attr_run && (fs_attr->nrd.run == NULL)) {
tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
+ // fs_file has taken over managerment of fs_attr_run
+ fs_attr_run = NULL;
+
// set the special functions
if (fs_file->meta->flags & TSK_FS_META_FLAG_COMP) {
fs_attr->w = ntfs_attr_walk_special;
@@ -2112,6 +2121,10 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
else {
if (tsk_fs_attr_add_run(fs, fs_attr, fs_attr_run)) {
tsk_error_errstr2_concat(" - proc_attrseq: put run");
+ if (fs_attr_run) {
+ tsk_fs_attr_run_free(fs_attr_run);
+ fs_attr_run = NULL;
+ }
return TSK_COR;
}
}
--
2.30.0

24
0010-Fixed-HFS-BTree-key-OOB-read.patch Normal file
View File

@ -0,0 +1,24 @@
From 0954034dc1ac757cfc125539c41cc2b42525b303 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Tue, 27 Apr 2021 06:22:02 +0200
Subject: [PATCH] Fixed HFS BTree key OOB read
---
tsk/fs/hfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 2935fc50e3..d3b92aaad7 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -976,7 +976,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ // Need at least 2 bytes for key_len
+ if (rec_off >= nodesize - 2) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"

43
0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch Normal file
View File

@ -0,0 +1,43 @@
From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 1 May 2021 07:46:49 +0200
Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse
---
tsk/fs/hfs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index e3221152b7..01259cee2d 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) {
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %"
@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
rec_off =
tsk_getu16(fs->endian,
&node[nodesize - (rec + 1) * 2]);
- if (rec_off >= nodesize) {
+
+ // Need at least 2 bytes for key_len
+ if (rec_off >= nodesize - 2) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
tsk_error_set_errstr
("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"

240
0012-fix_oob_read8.patch Normal file
View File

@ -0,0 +1,240 @@
From bd5af353d9a6d8f936d59c2fda57cf7eb14c48f5 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 1 May 2021 08:36:06 +0200
Subject: [PATCH] fix_oob_read8
---
tsk/fs/hfs.c | 28 ++++++++++++++++-------
tsk/fs/hfs_dent.c | 2 +-
tsk/fs/hfs_unicompare.c | 50 ++++++++++++++++++++++++++++++++---------
tsk/fs/tsk_hfs.h | 4 ++--
4 files changed, 63 insertions(+), 21 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index e3221152b..8ac63b016 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -707,11 +707,17 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
*/
int
hfs_cat_compare_keys(HFS_INFO * hfs, const hfs_btree_key_cat * key1,
- const hfs_btree_key_cat * key2)
+ int keylen1, const hfs_btree_key_cat * key2)
{
TSK_FS_INFO *fs = (TSK_FS_INFO *) & (hfs->fs_info);
uint32_t cnid1, cnid2;
+ if (keylen1 < 6) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
cnid1 = tsk_getu32(fs->endian, key1->parent_cnid);
cnid2 = tsk_getu32(fs->endian, key2->parent_cnid);
@@ -720,7 +726,7 @@ hfs_cat_compare_keys(HFS_INFO * hfs, const hfs_btree_key_cat * key1,
if (cnid1 > cnid2)
return 1;
- return hfs_unicode_compare(hfs, &key1->name, &key2->name);
+ return hfs_unicode_compare(hfs, &key1->name, keylen1 - 6, &key2->name);
}
@@ -890,7 +896,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
/* save the info from this record unless it is too big */
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key,
+ a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_ERR) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
@@ -1012,7 +1018,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
// rec_cnid = tsk_getu32(fs->endian, key->file_id);
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key,
+ a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_LEAF_STOP) {
is_done = 1;
@@ -1058,7 +1064,7 @@ typedef struct {
static uint8_t
hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
HFS_CAT_GET_RECORD_OFFSET_DATA *offset_data = (HFS_CAT_GET_RECORD_OFFSET_DATA *)ptr;
@@ -1073,14 +1079,14 @@ hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
tsk_getu32(hfs->fs_info.endian, cur_key->parent_cnid));
if (level_type == HFS_BT_NODE_TYPE_IDX) {
- int diff = hfs_cat_compare_keys(hfs, cur_key, targ_key);
+ int diff = hfs_cat_compare_keys(hfs, cur_key, cur_keylen, targ_key);
if (diff < 0)
return HFS_BTREE_CB_IDX_LT;
else
return HFS_BTREE_CB_IDX_EQGT;
}
else {
- int diff = hfs_cat_compare_keys(hfs, cur_key, targ_key);
+ int diff = hfs_cat_compare_keys(hfs, cur_key, cur_keylen, targ_key);
// see if this record is for our file or if we passed the interesting entries
if (diff < 0) {
@@ -1653,9 +1659,15 @@ hfs_cat_file_lookup(HFS_INFO * hfs, TSK_INUM_T inum, HFS_ENTRY * entry,
static uint8_t
hfs_find_highest_inum_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
+ if (cur_keylen < 6) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
// NOTE: This assumes that the biggest inum is the last one that we
// see. the traverse method does not currently promise that as part of
// its callback "contract".
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index e4cebf8a4..495588642 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -198,7 +198,7 @@ typedef struct {
static uint8_t
hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr)
{
HFS_DIR_OPEN_META_INFO *info = (HFS_DIR_OPEN_META_INFO *) ptr;
diff --git a/tsk/fs/hfs_unicompare.c b/tsk/fs/hfs_unicompare.c
index 752486af0..91d528b88 100644
--- a/tsk/fs/hfs_unicompare.c
+++ b/tsk/fs/hfs_unicompare.c
@@ -109,7 +109,7 @@
#include "tsk_hfs.h"
static int hfs_unicode_compare_int(uint16_t endian,
- const hfs_uni_str * uni1, const hfs_uni_str * uni2);
+ const hfs_uni_str * uni1, int uni1_len, const hfs_uni_str * uni2);
/**
@@ -124,18 +124,31 @@ static int hfs_unicode_compare_int(uint16_t endian,
*/
int
hfs_unicode_compare(HFS_INFO * hfs, const hfs_uni_str * uni1,
- const hfs_uni_str * uni2)
+ int uni1_len, const hfs_uni_str * uni2)
{
if (hfs->is_case_sensitive) {
uint16_t l1, l2;
const uint8_t *s1, *s2;
uint16_t c1, c2;
+ if (uni1_len < 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
l1 = tsk_getu16(hfs->fs_info.endian, uni1->length);
l2 = tsk_getu16(hfs->fs_info.endian, uni2->length);
s1 = uni1->unicode;
s2 = uni2->unicode;
+ // Note that l1 contains number of UTF-16 "characters" and uni1_len number of bytes.
+ if (l1 > (uni1_len - 2) / 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
while (1) {
if ((l1 == 0) && (l2 == 0))
return 0;
@@ -157,7 +170,7 @@ hfs_unicode_compare(HFS_INFO * hfs, const hfs_uni_str * uni1,
return 0;
}
else
- return hfs_unicode_compare_int(hfs->fs_info.endian, uni1, uni2);
+ return hfs_unicode_compare_int(hfs->fs_info.endian, uni1, uni1_len, uni2);
}
extern uint16_t gLowerCaseTable[];
@@ -169,17 +182,34 @@ extern uint16_t gLowerCaseTable[];
*/
static int
hfs_unicode_compare_int(uint16_t endian, const hfs_uni_str * uni1,
- const hfs_uni_str * uni2)
+ int uni1_len, const hfs_uni_str * uni2)
{
uint16_t c1, c2;
uint16_t temp;
uint16_t *lowerCaseTable;
-
- const uint8_t *str1 = uni1->unicode;
- const uint8_t *str2 = uni2->unicode;
- uint16_t length1 = tsk_getu16(endian, uni1->length);
- uint16_t length2 = tsk_getu16(endian, uni2->length);
-
+ const uint8_t *str1 = NULL;
+ const uint8_t *str2 = NULL;
+ uint16_t length1 = 0;
+ uint16_t length2 = 0;
+
+ if (uni1_len < 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
+ str1 = uni1->unicode;
+ str2 = uni2->unicode;
+ length1 = tsk_getu16(endian, uni1->length);
+ length2 = tsk_getu16(endian, uni2->length);
+
+ // Note that length1 contains number of UTF-16 "characters" and uni1_len number of bytes.
+ if (length1 > (uni1_len - 2) / 2) {
+ // Note that it would be better to return an error value here
+ // but the current function interface does not support this
+ // Also see issue #2365
+ return -1;
+ }
lowerCaseTable = gLowerCaseTable;
while (1) {
diff --git a/tsk/fs/tsk_hfs.h b/tsk/fs/tsk_hfs.h
index 7becb2ab3..4437b1c5a 100644
--- a/tsk/fs/tsk_hfs.h
+++ b/tsk/fs/tsk_hfs.h
@@ -734,7 +734,7 @@ extern uint8_t hfs_UTF16toUTF8(TSK_FS_INFO *, uint8_t *, int, char *, int,
uint32_t);
extern int hfs_unicode_compare(HFS_INFO *, const hfs_uni_str *,
- const hfs_uni_str *);
+ int, const hfs_uni_str *);
extern uint16_t hfs_get_idxkeylen(HFS_INFO * hfs, uint16_t keylen,
const hfs_btree_header_record * header);
@@ -765,7 +765,7 @@ extern char hfs_is_hard_link(TSK_FS_INFO * fs, TSK_INUM_T inum);
* @param ptr Pointer to data that was passed into parent
*/
typedef uint8_t(*TSK_HFS_BTREE_CB) (HFS_INFO *, int8_t level_type,
- const hfs_btree_key_cat * cur_key,
+ const hfs_btree_key_cat * cur_key, int cur_keylen,
TSK_OFF_T key_off, void *ptr);
// return values for callback
#define HFS_BTREE_CB_IDX_LT 1 // current key is less than target (keeps looking in node)
--
2.33.0

100
0013-fix_oob_read13.patch Normal file
View File

@ -0,0 +1,100 @@
From 6bac602fc47bd668fb0b8c14ce64c073ecc2de63 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 18 Jun 2021 13:52:41 +0200
Subject: [PATCH] fix_oob_read13
---
tsk/fs/hfs.c | 8 ++++----
tsk/fs/hfs_dent.c | 14 +++++++++++++-
tsk/fs/tsk_hfs.h | 2 +-
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
index 8ac63b016..95d178031 100644
--- a/tsk/fs/hfs.c
+++ b/tsk/fs/hfs.c
@@ -896,7 +896,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
/* save the info from this record unless it is too big */
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_IDX, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_ERR) {
tsk_error_set_errno(TSK_ERR_FS_GENFS);
@@ -1018,7 +1018,7 @@ hfs_cat_traverse(HFS_INFO * hfs,
// rec_cnid = tsk_getu32(fs->endian, key->file_id);
retval =
- a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen,
+ a_cb(hfs, HFS_BT_NODE_TYPE_LEAF, key, keylen, nodesize,
cur_off + rec_off, ptr);
if (retval == HFS_BTREE_CB_LEAF_STOP) {
is_done = 1;
@@ -1064,7 +1064,7 @@ typedef struct {
static uint8_t
hfs_cat_get_record_offset_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
HFS_CAT_GET_RECORD_OFFSET_DATA *offset_data = (HFS_CAT_GET_RECORD_OFFSET_DATA *)ptr;
@@ -1659,7 +1659,7 @@ hfs_cat_file_lookup(HFS_INFO * hfs, TSK_INUM_T inum, HFS_ENTRY * entry,
static uint8_t
hfs_find_highest_inum_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr)
{
if (cur_keylen < 6) {
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index 495588642..b88627e53 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -198,7 +198,7 @@ typedef struct {
static uint8_t
hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t nodesize,
TSK_OFF_T key_off, void *ptr)
{
HFS_DIR_OPEN_META_INFO *info = (HFS_DIR_OPEN_META_INFO *) ptr;
@@ -233,7 +233,19 @@ hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
cur_key->parent_cnid) > info->cnid) {
return HFS_BTREE_CB_LEAF_STOP;
}
+ // Need at least 2 bytes for key_len
+ if (cur_keylen < 2) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: cur_keylen value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_off2 = 2 + tsk_getu16(hfs->fs_info.endian, cur_key->key_len);
+
+ if ((nodesize < 2) || (rec_off2 >= nodesize - 2)) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: nodesize value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
rec_type = tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2]);
// Catalog entry is for a file
diff --git a/tsk/fs/tsk_hfs.h b/tsk/fs/tsk_hfs.h
index 4437b1c5a..2530e0cfe 100644
--- a/tsk/fs/tsk_hfs.h
+++ b/tsk/fs/tsk_hfs.h
@@ -765,7 +765,7 @@ extern char hfs_is_hard_link(TSK_FS_INFO * fs, TSK_INUM_T inum);
* @param ptr Pointer to data that was passed into parent
*/
typedef uint8_t(*TSK_HFS_BTREE_CB) (HFS_INFO *, int8_t level_type,
- const hfs_btree_key_cat * cur_key, int cur_keylen,
+ const hfs_btree_key_cat * cur_key, int cur_keylen, size_t node_size,
TSK_OFF_T key_off, void *ptr);
// return values for callback
#define HFS_BTREE_CB_IDX_LT 1 // current key is less than target (keeps looking in node)
--
2.33.0

28
0014-Fixed-OOB-reads-in-hfs_dir_open_meta_cb.patch Normal file
View File

@ -0,0 +1,28 @@
From beb68f543261a28ee25b945bb79d39213decd2cd Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 18 Jun 2021 16:34:18 +0200
Subject: [PATCH] Fixed OOB reads in hfs_dir_open_meta_cb
---
tsk/fs/hfs_dent.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tsk/fs/hfs_dent.c b/tsk/fs/hfs_dent.c
index b88627e53..54460f14b 100644
--- a/tsk/fs/hfs_dent.c
+++ b/tsk/fs/hfs_dent.c
@@ -295,6 +295,11 @@ hfs_dir_open_meta_cb(HFS_INFO * hfs, int8_t level_type,
/* This is a normal file in the folder */
else if (rec_type == HFS_FILE_RECORD) {
+ if ((nodesize < sizeof(hfs_file)) || (rec_off2 >= nodesize - sizeof(hfs_file))) {
+ tsk_error_set_errno(TSK_ERR_FS_GENFS);
+ tsk_error_set_errstr("hfs_dir_open_meta: nodesize value out of bounds");
+ return HFS_BTREE_CB_ERR;
+ }
hfs_file *file = (hfs_file *) & rec_buf[rec_off2];
// This could be a hard link. We need to test this CNID, and follow it if necessary.
unsigned char is_err;
--
2.33.0

43
sleuthkit.spec
View File

@ -1,18 +1,28 @@
Name: sleuthkit
Version: 4.6.7
Release: 7
Release: 12
Summary: Tools for file system and volume forensic analysis
License: CPL and IBM and GPLv2+
License: CPL-1.0 AND IPL-1.0 AND GPL-2.0-or-later
URL: http://www.sleuthkit.org
Source0: https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
Patch1: 0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
Patch2: 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
Patch3: 0003-Fix-bug-introduced-with-imap-offset-check.patch
Patch4: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
Patch5: 0005-Fix-Fuzz-buffer-overflow.patch
Patch6: 0006-Add-attributes-file-nodesize-check.patch
Patch7: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
Patch0001: 0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
Patch0002: 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
Patch0003: 0003-Fix-bug-introduced-with-imap-offset-check.patch
Patch0004: 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
Patch0005: 0005-Fix-Fuzz-buffer-overflow.patch
Patch0006: 0006-Add-attributes-file-nodesize-check.patch
Patch0007: 0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
Patch0008: 0008-left-shift.patch
Patch0009: 0009-fix-memleak-in-ntfs.patch
Patch0010: 0010-Fixed-HFS-BTree-key-OOB-read.patch
Patch0011: 0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/bd5af353d9a6d8f936d59c2fda57cf7eb14c48f5
Patch0012: 0012-fix_oob_read8.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/6bac602fc47bd668fb0b8c14ce64c073ecc2de63
Patch0013: 0013-fix_oob_read13.patch
#https://github.com/sleuthkit/sleuthkit/pull/2453/commits/beb68f543261a28ee25b945bb79d39213decd2cd
Patch0014: 0014-Fixed-OOB-reads-in-hfs_dir_open_meta_cb.patch
BuildRequires: gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
@ -87,6 +97,21 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
%{_mandir}/man1/*
%changelog
* Thu Jun 13 2024 yao_xin <yao_xin001@hoperun.com> - 4.6.7-12
- License compliance rectification
* Thu Mar 10 2022 xuping <xuping33@huawei.com> - 4.6.7-11
- Fixed OOB read in hfs_dir_open_meta_cb
* Thu Aug 26 2021 lingsheng <lingsheng@huawei.com> - 4.6.7-10
- Fixed OOB reads in hfs_cat_traverse
* Thu Aug 26 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.6.7-9
- Fix memleak in ntfs
* Thu Jun 3 2021 caodongxia <caodongxia@huawei.com> - 4.6.7-8
- Fixed left shift
* Wed May 19 2021 lingsheng <lingsheng@huawei.com> - 4.6.7-7
- Fixed OOB reads in hfs_cat_traverse