Re: [sleuthkit-users] more crashes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Aug 24, 2006, at 11:40 PM, Svein Yngvar Willassen wrote:

> Hello Simson,
>
> Are these "Drive #xxx" something that is publicly available, or are  
> they
> internal references?

They are internal reference numbers from my corpus.

>
> Anyway, at least the first (and third) of the crashes you cite here  
> could be
> a similar problem as discussed previously, namely that ntfs_info- 
> >sds->data
> could be NULL. If these problems have turned up in recent versions,  
> it would
> be reasonable to check any recent changes in the code that build these
> structures.

Nope. I tried try patching the code so that it checks the value  
before it frees...

static void
ntfs_secure_data_free(NTFS_INFO * ntfs_info)
{
     // Iterate of sds entries and free them
     while (ntfs_info->sds) {
=>      if(ntfs_info->sds->data) free(ntfs_info->sds->data);
         ntfs_info->sds = ntfs_info->sds->next;
     }

And I got another crash. ntfs_info->sds->data isn't NULL, it's just  
an invalid pointer:

(gdb) p ntfs_info->sds
$1 = (NTFS_SDS_ENTRY *) 0x7332ddf
(gdb) p ntfs_info->sds->data
Cannot access memory at address 0x7332def
(gdb)

>
> Regards,
>
> Svein
>
>
>
>> -----Original Message-----
>> From: sle...@li...  
>> [mailto:sleuthkit-
>> use...@li...] On Behalf Of Simson Garfinkel
>> Sent: 24. august 2006 21:20
>> To: sle...@li...
>> Subject: [sleuthkit-users] more crashes
>>
>> Drive #193 causes a crash at line 3874 of ntfs.c.
>>
>> Here is the stack trace:
>>
>> (gdb) where
>> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400)
>> at ntfs.c:3874
>> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
>> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at
>> iwalk.cpp:178
>> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>> last=2, flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
>> 1013
>> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>> boring test comment") at iwalk.cpp:229
>> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>> iwalk.cpp:294
>> (gdb)
>>
>>
>> and the code:
>> static void
>> ntfs_secure_data_free(NTFS_INFO * ntfs_info)
>> {
>>      // Iterate of sds entries and free them
>>      while (ntfs_info->sds) {
>> =>      free(ntfs_info->sds->data);
>>          ntfs_info->sds = ntfs_info->sds->next;
>>      }
>>
>> ==================
>> Drive #248:
>>
>> stack appears corrupted; this is what's on top:
>>
>> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
>> (gdb) where
>> #0  0x0000000800d9c020 in strncpy () from /lib/libc.so.6
>> #1  0x00000000004206f4 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x1663000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:521
>> #2  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
>> ptr=0x0)
>>      at fatfs_dent.c:754
>> #3  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x1662000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:539
>> #4  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
>> ptr=0x0)
>>      at fatfs_dent.c:754
>> #5  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x165b000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:539
>> #6  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
>> ptr=0x0)
>>      at fatfs_dent.c:754
>> #7  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x165a000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:539
>> #8  0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
>> ptr=0x0)
>>      at fatfs_dent.c:754
>> #9  0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x1653000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:539
>> #10 0x0000000000420c46 in fatfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdd80, inode=40, flags=7, action=0x402530 <dent_act>,
>> ptr=0x0)
>>      at fatfs_dent.c:754
>> #11 0x0000000000420771 in fatfs_dent_parse_buf (fatfs=0x566400,
>> dinfo=0x7fffffffdd80,
>>      buf=0xffffffffffffe788 <Address 0xffffffffffffe788 out of
>> bounds>, len=6144, addrs=0x1652000, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>>      at fatfs_dent.c:539
>>
>>
>>                  /* append our name */
>>                  if (dinfo->depth < MAX_DEPTH) {
>>                      dinfo->didx[dinfo->depth] =
>>                          &dinfo->dirs[strlen(dinfo->dirs)];
>> =>                  strncpy(dinfo->didx[dinfo->depth], fs_dent->name,
>>                          DIR_STRSZ - strlen(dinfo->dirs));
>>                      strncat(dinfo->dirs, "/", DIR_STRSZ);
>>                  }
>>
>> (gdb) p dinfo->didx[53]
>> $2 = 0x7fffffffe789 "\345\221\201\345\275\205\344\241\223\345\211\217
>> \345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346\261
>> \257\346\
>> \215\234\347\211\264\346\261\257"
>> (gdb) p *fs_dent
>> $3 = {name = 0x1666000 "\345\221\201\345\275\205\344\241\223\345\211
>> \217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264\346
>> \261\257\\
>> 346\215\234\347\211\264\346\261\257", name_max = 1024,
>>    shrt_name = 0x563f00 ".", shrt_name_max = 32, inode = 40, fsi =
>> 0x164ec00, ent_type = 4 '\004',
>>    path = 0x7fffffffdf88 "DOS/\345\221\201\345\275\205\344\241\223 
>> \345
>> \211\217\345\275\224\345\211\205\346\214\240\346\271\257\347\211\264
>> \346\261\
>> \257\346\215\234\347\211\264\346\261\257/\345\221\201\345\275\205\344
>> \241\223\345\211\217\345\275\224\345\211\205\346\214\240\346\271\257
>> \347\211\
>> \264\346\261\257\346\215\234\347\211\264\346\261\257/\345\221\201\345
>> \275\205\344\241\223\345\211\217\345\275\224\345\211\205\346\214\240
>> \346\271\
>> \257\347\211\264\346\261\257\346\215\234\347\211\264\346\261\257/\345
>> \221\201\345\275\205\344\241\223\345\211\217\345\275\224\345\211\205
>> \346\214\
>> \240\346\271\257\347\211\264\346\261\257\346\215\234\347\211\264\346
>> \261\257/\345\221\201\345\275\205\344\241\223\345\211\217\345\275\224
>> \345\211\
>> \205\346\214\240\346\271\257\347\211\264\346\261\257\346\215\234\347
>> \211\264"..., pathdepth = 53}
>> (gdb)
>>
>>
>> Looks like the structures on the disk are corrupt and the
>> fatfs_dent.c routine is being a little too trusting?
>>
>> ===============================
>> Image 471:
>> (gdb) where
>> #0  0x0000000000429427 in ntfs_secure_data_free (ntfs_info=0x566400)
>> at ntfs.c:3874
>> #1  0x00000000004294d8 in ntfs_close (fs=0x566400) at ntfs.c:3896
>> #2  0x0000000000402b0a in do_vol (img=0x564000, start=32256) at
>> iwalk.cpp:178
>> #3  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>> #4  0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>> last=2, flags=6, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
>> 1013
>> #5  0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>> boring test comment") at iwalk.cpp:229
>> #6  0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>> iwalk.cpp:294
>> (gdb)
>>
>>
>> This looks like the same problem as Drive #193
>
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>