!4 Fix CVE-2021-3504
From: @wang_yue111 Reviewed-by: @jackie_wu123,@small_leek Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot
Gitee
commit
3a0c30ad28
72
CVE-2021-3504.patch
Normal file
72
CVE-2021-3504.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||||
|
Date: Thu, 15 Apr 2021 15:50:13 +0100
|
||||||
|
Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
|
||||||
|
(CVE-2021-3504)
|
||||||
|
|
||||||
|
Hives are encoded as fixed-sized pages containing smaller variable-
|
||||||
|
length blocks:
|
||||||
|
|
||||||
|
+-------------------+-------------------+-------------------+--
|
||||||
|
| header |[ blk ][blk][ blk ]|[blk][blk][blk] |
|
||||||
|
+-------------------+-------------------+-------------------+--
|
||||||
|
|
||||||
|
Blocks should not straddle a page boundary. However because blocks
|
||||||
|
contain a 32 bit length field it is possible to construct an invalid
|
||||||
|
hive where the last block in a page overlaps either the next page or
|
||||||
|
the end of the file:
|
||||||
|
|
||||||
|
+-------------------+-------------------+
|
||||||
|
| header |[ blk ][blk][ blk ..... ]
|
||||||
|
+-------------------+-------------------+
|
||||||
|
|
||||||
|
Hivex lacked a bounds check and would process the registry. Because
|
||||||
|
the rest of the code assumes this situation can never happen it was
|
||||||
|
possible to have a block containing some field (eg. a registry key
|
||||||
|
name) which would extend beyond the end of the file. Hivex mmaps or
|
||||||
|
mallocs the file, causing hivex to read memory beyond the end of the
|
||||||
|
mapped region, resulting in reading other memory structures or a
|
||||||
|
crash. (Writing beyond the end of the mapped region seems to be
|
||||||
|
impossible because we always allocate a new page before writing.)
|
||||||
|
|
||||||
|
This commit adds a check which rejects the malformed registry on
|
||||||
|
hivex_open.
|
||||||
|
|
||||||
|
Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
|
||||||
|
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
||||||
|
Fixes: CVE-2021-3504
|
||||||
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
|
||||||
|
---
|
||||||
|
lib/handle.c | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/handle.c b/lib/handle.c
|
||||||
|
index 88b1563..2e4231a 100644
|
||||||
|
--- a/lib/handle.c
|
||||||
|
+++ b/lib/handle.c
|
||||||
|
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
|
||||||
|
#pragma GCC diagnostic pop
|
||||||
|
if (is_root || !h->unsafe) {
|
||||||
|
SET_ERRNO (ENOTSUP,
|
||||||
|
- "%s, the block at 0x%zx has invalid size %" PRIu32
|
||||||
|
- ", bad registry",
|
||||||
|
+ "%s, the block at 0x%zx size %" PRIu32
|
||||||
|
+ " <= 4 or not a multiple of 4, bad registry",
|
||||||
|
filename, blkoff, le32toh (block->seg_len));
|
||||||
|
goto error;
|
||||||
|
} else {
|
||||||
|
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (blkoff + seg_len > off + page_size) {
|
||||||
|
+ SET_ERRNO (ENOTSUP,
|
||||||
|
+ "%s, the block at 0x%zx size %" PRIu32
|
||||||
|
+ " extends beyond the current page, bad registry",
|
||||||
|
+ filename, blkoff, le32toh (block->seg_len));
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (h->msglvl >= 2) {
|
||||||
|
unsigned char *id = (unsigned char *) block->id;
|
||||||
|
int id0 = id[0], id1 = id[1];
|
||||||
@ -6,13 +6,14 @@
|
|||||||
|
|
||||||
Name: hivex
|
Name: hivex
|
||||||
Version: 1.3.17
|
Version: 1.3.17
|
||||||
Release: 3
|
Release: 4
|
||||||
Summary: Windows Registry "hive" extraction library
|
Summary: Windows Registry "hive" extraction library
|
||||||
License: LGPLv2
|
License: LGPLv2
|
||||||
URL: http://libguestfs.org/
|
URL: http://libguestfs.org/
|
||||||
Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
|
Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
|
||||||
Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
|
Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
|
||||||
Source2: libguestfs.keyring
|
Source2: libguestfs.keyring
|
||||||
|
Patch0: CVE-2021-3504.patch
|
||||||
|
|
||||||
BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
|
BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
|
||||||
|
|
||||||
@ -209,6 +210,9 @@ cd python3 && make check && cd ..
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-4
|
||||||
|
- Fix CVE-2021-3504
|
||||||
|
|
||||||
* Wed Oct 21 2020 leiju <leiju4@163.com> - 1.3.17-3
|
* Wed Oct 21 2020 leiju <leiju4@163.com> - 1.3.17-3
|
||||||
- remove python2 subpackage
|
- remove python2 subpackage
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user