Re: [sleuthkit-users] more crashes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Simson,

Are these "Drive #xxx" something that is publicly available, or are they
internal references? 

Anyway, at least the first (and third) of the crashes you cite here could be
a similar problem as discussed previously, namely that ntfs_info->sds->data
could be NULL. If these problems have turned up in recent versions, it would
be reasonable to check any recent changes in the code that build these
structures. 

Regards,

Svein

> -----Original Message-----
> From: sle...@li... [mailto:sleuthkit-
> use...@li...] On Behalf Of Simson Garfinkel
> Sent: 24. august 2006 21:20
> To: sle...@li...
> Subject: [sleuthkit-users] more crashes
> 
> Drive #193 causes a crash at line 3874 of ntfs.c.
> 
> Here is the stack trace:
> 
> (gdb) where
> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400)
> at ntfs.c:3874
> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at
> iwalk.cpp:178
> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> last=2, flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> 1013
> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> boring test comment") at iwalk.cpp:229
> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> iwalk.cpp:294
> (gdb)
> 
> 
> and the code:
> static void
> ntfs_secure_data_free(NTFS_INFO * ntfs_info)
> {
>      // Iterate of sds entries and free them
>      while (ntfs_info->sds) {
> =>      free(ntfs_info->sds->data);
>          ntfs_info->sds = ntfs_info->sds->next;
>      }
> 
> ==================
> Drive #248:
> 
> stack appears corrupted; this is what's on top:
> 
> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
> (gdb) where
> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
> #1  0x00000000004206f4 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x1663000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:521
> #2  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
> ptr=0x0)
>      at fatfs_dent.c:754
> #3  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x1662000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:539
> #4  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
> ptr=0x0)
>      at fatfs_dent.c:754
> #5  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x165b000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:539
> #6  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
> ptr=0x0)
>      at fatfs_dent.c:754
> #7  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x165a000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:539
> #8  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
> ptr=0x0)
>      at fatfs_dent.c:754
> #9  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x1653000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:539
> #10 0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
> ptr=0x0)
>      at fatfs_dent.c:754
> #11 0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
> dinfo=0x7fffffffdd80,
>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
> bounds>, len=6144, addrs=0x1652000, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at fatfs_dent.c:539
> 
> 
>                  /* append our name */
>                  if (dinfo->depth < MAX_DEPTH) {
>                      dinfo->didx[dinfo->depth] =
>                          &dinfo->dirs[strlen(dinfo->dirs)];
> =>                  strncpy(dinfo->didx[dinfo->depth], fs_dent->name,
>                          DIR_STRSZ - strlen(dinfo->dirs));
>                      strncat(dinfo->dirs, "/", DIR_STRSZ);
>                  }
> 
> (gdb) p dinfo->didx[53]
> $2 = 0x7fffffffe789 "\345\221\201\345\275\205\344\241\223\345\211\217
> \345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346\261
> \257\346\
> \215\234\347\211\264\346\261\257"
> (gdb) p *fs_dent
> $3 = {name = 0x1666000 "\345\221\201\345\275\205\344\241\223\345\211
> \217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346
> \261\257\\
> 346\215\234\347\211\264\346\261\257", name_max = 1024,
>    shrt_name = 0x563f00 ".", shrt_name_max = 32, inode = 40, fsi =
> 0x164ec00, ent_type = 4 '\004',
>    path = 0x7fffffffdf88 "DOS/\345\221\201\345\275\205\344\241\223\345
> \211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264
> \346\261\
> \257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344
> \241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257
> \347\211\
> \264\346\261\257\346\215\234\347\211\264\346\261\257/\345\221\201\345
> \275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240
> \346\271\
> \257\347\211\264\346\261\257\346\215\234\347\211\264\346\261\257/\345
> \221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205
> \346\214\
> \240\346\271\257\347\211\264\346\261\257\346\215\234\347\211\264\346
> \261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224
> \345\211\
> \205\346\214\240\346\271\257\347\211\264\346\261\257\346\215\234\347
> \211\264"..., pathdepth = 53}
> (gdb)
> 
> 
> Looks like the structures on the disk are corrupt and the
> fatfs_dent.c routine is being a little too trusting?
> 
> ===============================
> Image 471:
> (gdb) where
> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400)
> at ntfs.c:3874
> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at
> iwalk.cpp:178
> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> last=2, flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> 1013
> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> boring test comment") at iwalk.cpp:229
> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> iwalk.cpp:294
> (gdb)
> 
> 
> This looks like the same problem as Drive #193