search

onekey-sec / unblob

Extract files from any kind of container formats
https://unblob.org
Other
2.09k stars 80 forks source link

unblob:search_chunks_fuzzer: Out-of-memory in search_chunks_fuzzer #792

Closed qkaiser closed 4 months ago

qkaiser commented 4 months ago

Project: unblob Fuzzing Engine: libFuzzer Fuzz Target: search_chunks_fuzzer Job Type: libfuzzer_asan_unblob Platform Id: linux

Crash Type: Out-of-memory (exceeds 2560 MB) Crash Address: Crash State: search_chunks_fuzzer

Sanitizer: address (ASAN)

Affected revision: 3c2db4a6a8cfe00b90514419687d9ec271404d75

Reproducer test case is below:

00000000  20 20 20 20 20 20 20 20  20 20 20 20 20 20 ff 20  |              . |
00000010  00 00 ff ff 00 69 fd ff  ff ff ff ff ff 00 00 00  |.....i..........|
00000020  00 00 00 00 00 00 ff ff  ff ff ff ff ff ff ff ff  |................|
00000030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000060  ff ff ff ff ff 00 00 00  00 00 20 00 00 00 04 00  |.......... .....|
00000070  00 83 4a 6a 5d 83 4a 6a  5d 01 00 ff 00 00 00 00  |..Jj].Jj].......|
00000080  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
000000c0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 02  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 ff ff ff ff ff ff ff  |................|
00000100  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000170  ff ff ff ff ff ff 00 00  00 00 00 20 00 00 00 04  |........... ....|
00000180  00 00 83 4a 6a 5d 83 4a  6a 5d 01 00 ff ff 53 ef  |...Jj].Jj]....S.|
00000190  01 00 01 00 83 4a 6a 5d  00 00 00 00 00 00 00 00  |.....Jj]........|
000001a0  00 00 00 00 00 00 00 40  00 00 00 00 00 ff ff ff  |.......@........|
000001b0  ff ff 00 00 00 00 00 20  00 00 00 04 00 00 83 4a  |....... .......J|
000001c0  6a 5d 83 4a 6a 5d 01 00  ff ff 53 ef 01 00 01 00  |j].Jj]....S.....|
000001d0  83 4a 6a 5d 00 00 00 00  00 00 00 00 00 00 00 00  |.Jj]............|
000001e0  00 00 00 40 00 00 00 00  01 00 01 00 00 00 83 4a  |...@...........J|
000001f0  6a 5d 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |j]..............|
00000200  00 00 00 40 00 00 00 00  00 00 00 00 00 00 ff ff  |...@............|
00000210  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000240  ff ff ff ff ff ff ff 00  00 00 00 04 00 00 83 4a  |...............J|
00000250  6a 5d 83 4a 6a 5d 01 00  ff ff 53 ef 01 00 01 00  |j].Jj]....S.....|
00000260  00 00 83 4a 6a 5d 00 00  00 00 00 00 00 00 00 00  |...Jj]..........|
00000270  00 00 00 00 00 00 00 40  00 00 00 00 00 00 00 00  |.......@........|
00000280  00 00 00 00 4f 72 64 65  72 65 64 44 ff ff ff ff  |....OrderedD....|
00000290  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
000002c0  ff ff ff ff ff ff 00 00  00 00 00 20 00 00 00 04  |........... ....|
000002d0  00 00 83 4a 6a 5d 83 4a  6a 5d 01 00 ff ff 53 ef  |...Jj].Jj]....S.|
000002e0  01 00 01 00 83 4a 6a 5d  00 00 00 00 00 00 00 00  |.....Jj]........|
000002f0  00 00 00 00 00 00 00 40  00 00 00 00 00 ff ff ff  |.......@........|
00000300  ff ff 00 00 00 00 00 20  00 00 00 04 00 00 83 4a  |....... .......J|
00000310  6a 5d 83 4a 6a 5d 01 00  ff ff 53 ef 01 00 01 00  |j].Jj]....S.....|
00000320  83 4a 6a 5d 00 00 00 00  00 00 00 00 00 00 00 00  |.Jj]............|
00000330  00 00 00 40 00 00 00 00  ff ff ff ff ff ff ff ff  |...@............|
00000340  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000360  ff ff ff 00 00 00 00 00  20 00 00 00 04 00 00 83  |........ .......|
00000370  4a 6a 5d 83 4a 6a 5d 01  00 ff ff 53 ef 01 00 01  |Jj].Jj]....S....|
00000380  00 83 4a 6a 5d 00 00 00  00 00 00 00 00 00 00 00  |..Jj]...........|
00000390  00 00 00 00 40 00 00 00  00 00 ff ff ff ff ff 00  |....@...........|
000003a0  00 00 00 00 20 00 00 00  04 00 00 83 4a 6a 5d 83  |.... .......Jj].|
000003b0  4a 6a 5d 01 00 ff ff 53  ef 01 00 01 00 83 4a 6a  |Jj]....S......Jj|
000003c0  5d 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |]...............|
000003d0  40 00 00 00 00 ff ff ff  ff ff ff ff ff ff ff ff  |@...............|
000003e0  ff ff ff ff 00 00 00 00  00 20 00 00 00 04 00 00  |......... ......|
000003f0  83 4a 6a 5d 83 4a 6a 5d  01 00 ff ff 53 ef 01 00  |.Jj].Jj]....S...|
00000400  01 00 83 4a 6a 5d 00 00  00 00 00 00 6e 6f 74 00  |...Jj]......not.|
00000410  00 00 00 00 00 40 00 00  00 00 00 ff ff ff ff ff  |.....@..........|
00000420  00 00 00 00 00 20 00 00  00 04 00 00 83 4a 6a 5d  |..... .......Jj]|
00000430  83 4a 6a 5d 01 00 ff ff  53 ef 01 00 01 00 83 4a  |.Jj]....S......J|
00000440  6a 5d 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |j]..............|
00000450  40 00 00 00                                       |@...|
00000454

It's a mutated ExtFS that is also confusing libmagic:

file /tmp/5412757073625088
/tmp/5412757073625088: Linux rev 0.19075

The end offset that we calculate is insanely large:

(Pdb) end_offset
*** ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit

When we print it to the console, something allocates so much memory for it that we OOM.

The large end_offset is due to a large s_log_block_size:

- s_log_block_size: 0xff000000

We should add a sanity check for s_log_block_size in valid_header.

qkaiser commented 4 months ago

Hi ! I'm Johnny Knoxville, welcome to Jackass

#!/usr/bin/env python3

offset = 0x400 << 0xff000000
print(f"{offset:x}")

image