search

AgentD / squashfs-tools-ng

A new set of tools and libraries for working with SquashFS images
Other
194 stars 30 forks source link

Stack overflow found by fuzzing #12

Closed Dr-Emann closed 4 years ago

Dr-Emann commented 4 years ago

Base64 encoded file:

aHNxcwIAAAApDV5dABAAAAEAAAABAAwAywECAAQAAAAgAAAAAAAAAAIBAAAAAAAA+gAAAAAAAAD/
/////////2MAAAAAAAAApQAAAAAAAADOAAAAAAAAAOgAAAAAAAAAaGkKQIACALQBAAABANQMXl0B
AAAAAAAAAAAAAAAAAAAAAwAAAAEA/QEAAAEA1AxeXQIAAAAAAAAAAgAAABgAAAADAAAAFYAAAAAA
AAAAAAEAAAAgAAAAAgAAAGEQgGAAAAAAAAAAAwAAAQAAAAC8AAAAAAAAABCAAAAAAAAAAAAgAAAA
AAAAANYAAAAAAAAACIDpAwAA6wMAAPAAAAAAAAAA

Steps to reproduce:

  1. Compile on master
  2. base64 -d > bad_file <<< "aHNxcwIAAAApDV5dABAAAAEAAAABAAwAywECAAQAAAAgAAAAAAAAAAIBAAAAAAAA+gAAAAAAAAD//////////2MAAAAAAAAApQAAAAAAAADOAAAAAAAAAOgAAAAAAAAAaGkKQIACALQBAAABANQMXl0BAAAAAAAAAAAAAAAAAAAAAwAAAAEA/QEAAAEA1AxeXQIAAAAAAAAAAgAAABgAAAADAAAAFYAAAAAAAAAAAAEAAAAgAAAAAgAAAGEQgGAAAAAAAAAAAwAAAQAAAAC8AAAAAAAAABCAAAAAAAAAAAAgAAAAAAAAANYAAAAAAAAACIDpAwAA6wMAAPAAAAAAAAAA"
  3. run rdsquashfs -d bad_file

Gets a segfault. running under gdb shows a bogus stack at the time of segfault. compiling with ASAN says:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8426==ERROR: AddressSanitizer: stack-overflow on address 0x7fff965d7ff8 (pc 0x00000041cb62 bp 0x000000000800 sp 0x7fff965d8000 T0)
    #0 0x41cb61 in atomic_load<__sanitizer::atomic_uint16_t> /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc
    #1 0x41cb61 in ComputeRZLog /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc:356
    #2 0x41cb61 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc:425
    #3 0x41d42a in Calloc /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc:682:17
    #4 0x41d42a in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc:880
    #5 0x4c716c in calloc /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:156:10
    #6 0x500c04 in meta_reader_read_dir_ent /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/readdir.c:41:8
    #7 0x4fdc57 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:97:10
    #8 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8
    #9 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8
    #10 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8
    #11 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8
    #12 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8

   ... a ton of the same line ...

    #251 0x4fdf93 in fill_dir /home/dremann/Development/squashfs-tools-ng-asan/lib/sqfs/deserialize_fstree.c:154:8

SUMMARY: AddressSanitizer: stack-overflow /build/llvm-toolchain-8-F3l7P1/llvm-toolchain-8-8/projects/compiler-rt/lib/asan/asan_allocator.cc in atomic_load<__sanitizer::atomic_uint16_t>
==8426==ABORTING
Dr-Emann commented 4 years ago

btw: unsquashfs -li says this when run against bad file: 

1 inodes (1 blocks) to write

drwxrwxr-x dremann/dremann          24 2019-08-22 03:32 squashfs-root
drwxrwxr-x dremann/dremann          24 2019-08-22 03:32 squashfs-root/a
Unknown inode type 1 in create_inode_table!

created 0 files
created 1 directories
created 0 symlinks
created 0 devices
created 0 fifos
AgentD commented 4 years ago

Thanks a lot! This should be fixed by commit 8b16efb. The underlying problem being that the fuzzer created a filesystem with a directory that contains itself.

Dr-Emann commented 4 years ago

I thought it might be something like that. Looks good