Re: [sleuthkit-users] more crashes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The SDS code was contributed to the last version and I briefly looked it 
over, but I'll look at it more today to find out why it is not being 
allocated on some drives.  I'm assuming is based on what version of NTFS 
you are using since the security descriptor stuff changed.

I thought I was handling corrupt path and file name info, but I'll check 
it out in more detail today.

brian

Simson Garfinkel wrote:
> Drive #193 causes a crash at line 3874 of ntfs.c.
> 
> Here is the stack trace:
> 
> (gdb) where
> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400) at 
> ntfs.c:3874
> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at 
> iwalk.cpp:178
> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180, 
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0, last=2, 
> flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:1013
> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my 
> boring test comment") at iwalk.cpp:229
> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at 
> iwalk.cpp:294
> (gdb)
> 
> 
> and the code:
> static void
> ntfs_secure_data_free(NTFS_INFO * ntfs_info)
> {
>     // Iterate of sds entries and free them
>     while (ntfs_info->sds) {
> =>      free(ntfs_info->sds->data);
>         ntfs_info->sds = ntfs_info->sds->next;
>     }
> 
> ==================
> Drive #248:
> 
> stack appears corrupted; this is what's on top:
> 
> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
> (gdb) where
> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
> #1  0x00000000004206f4 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x1663000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:521
> #2  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400, 
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>, 
> ptr=0x0)
>     at fatfs_dent.c:754
> #3  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x1662000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:539
> #4  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400, 
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>, 
> ptr=0x0)
>     at fatfs_dent.c:754
> #5  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x165b000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:539
> #6  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400, 
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>, 
> ptr=0x0)
>     at fatfs_dent.c:754
> #7  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x165a000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:539
> #8  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400, 
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>, 
> ptr=0x0)
>     at fatfs_dent.c:754
> #9  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x1653000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:539
> #10 0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400, 
> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>, 
> ptr=0x0)
>     at fatfs_dent.c:754
> #11 0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400, 
> dinfo=0x7fffffffdd80,
>     buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of bounds>, 
> len=6144, addrs=0x1652000, flags=7, action=0x402530 <dent_act>, ptr=0x0)
>     at fatfs_dent.c:539
> 
> 
>                 /* append our name */
>                 if (dinfo->depth < MAX_DEPTH) {
>                     dinfo->didx[dinfo->depth] =
>                         &dinfo->dirs[strlen(dinfo->dirs)];
> =>                  strncpy(dinfo->didx[dinfo->depth], fs_dent->name,
>                         DIR_STRSZ - strlen(dinfo->dirs));
>                     strncat(dinfo->dirs, "/", DIR_STRSZ);
>                 }
> 
> (gdb) p dinfo->didx[53]
> $2 = 0x7fffffffe789 
> "\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346\261\257\346\ 
> 
> \215\234\347\211\264\346\261\257"
> (gdb) p *fs_dent
> $3 = {name = 0x1666000 
> "\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346\261\257\\ 
> 
> 346\215\234\347\211\264\346\261\257", name_max = 1024,
>   shrt_name = 0x563f00 ".", shrt_name_max = 32, inode = 40, fsi = 
> 0x164ec00, ent_type = 4 '\004',
>   path = 0x7fffffffdf88 
> "DOS/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346\261\ 
> 
> \257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\ 
> 
> \264\346\261\257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\ 
> 
> \257\347\211\264\346\261\257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\ 
> 
> \240\346\271\257\347\211\264\346\261\257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\ 
> 
> \205\346\214\240\346\271\257\347\211\264\346\261\257\346\215\234\347\211\264"..., 
> pathdepth = 53}
> (gdb)
> 
> 
> Looks like the structures on the disk are corrupt and the fatfs_dent.c 
> routine is being a little too trusting?
> 
> ===============================
> Image 471:
> (gdb) where
> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400) at 
> ntfs.c:3874
> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at 
> iwalk.cpp:178
> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180, 
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0, last=2, 
> flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:1013
> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my 
> boring test comment") at iwalk.cpp:229
> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at 
> iwalk.cpp:294
> (gdb)
> 
> 
> This looks like the same problem as Drive #193
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org