diff --git a/CVE-2021-3504.patch b/CVE-2021-3504.patch new file mode 100644 index 0000000..e652399 --- /dev/null +++ b/CVE-2021-3504.patch @@ -0,0 +1,72 @@ +From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 15 Apr 2021 15:50:13 +0100 +Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length + (CVE-2021-3504) + +Hives are encoded as fixed-sized pages containing smaller variable- +length blocks: + + +-------------------+-------------------+-------------------+-- + | header |[ blk ][blk][ blk ]|[blk][blk][blk] | + +-------------------+-------------------+-------------------+-- + +Blocks should not straddle a page boundary. However because blocks +contain a 32 bit length field it is possible to construct an invalid +hive where the last block in a page overlaps either the next page or +the end of the file: + + +-------------------+-------------------+ + | header |[ blk ][blk][ blk ..... ] + +-------------------+-------------------+ + +Hivex lacked a bounds check and would process the registry. Because +the rest of the code assumes this situation can never happen it was +possible to have a block containing some field (eg. a registry key +name) which would extend beyond the end of the file. Hivex mmaps or +mallocs the file, causing hivex to read memory beyond the end of the +mapped region, resulting in reading other memory structures or a +crash. (Writing beyond the end of the mapped region seems to be +impossible because we always allocate a new page before writing.) + +This commit adds a check which rejects the malformed registry on +hivex_open. + +Credit: Jeremy Galindo, Sr Security Engineer, Datto.com +Signed-off-by: Richard W.M. Jones +Fixes: CVE-2021-3504 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687 +--- + lib/handle.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 88b1563..2e4231a 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags) + #pragma GCC diagnostic pop + if (is_root || !h->unsafe) { + SET_ERRNO (ENOTSUP, +- "%s, the block at 0x%zx has invalid size %" PRIu32 +- ", bad registry", ++ "%s, the block at 0x%zx size %" PRIu32 ++ " <= 4 or not a multiple of 4, bad registry", + filename, blkoff, le32toh (block->seg_len)); + goto error; + } else { +@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags) + } + } + ++ if (blkoff + seg_len > off + page_size) { ++ SET_ERRNO (ENOTSUP, ++ "%s, the block at 0x%zx size %" PRIu32 ++ " extends beyond the current page, bad registry", ++ filename, blkoff, le32toh (block->seg_len)); ++ goto error; ++ } ++ + if (h->msglvl >= 2) { + unsigned char *id = (unsigned char *) block->id; + int id0 = id[0], id1 = id[1]; diff --git a/hivex.spec b/hivex.spec index 0421071..7990145 100644 --- a/hivex.spec +++ b/hivex.spec @@ -6,13 +6,14 @@ Name: hivex Version: 1.3.17 -Release: 3 +Release: 4 Summary: Windows Registry "hive" extraction library License: LGPLv2 URL: http://libguestfs.org/ Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig Source2: libguestfs.keyring +Patch0: CVE-2021-3504.patch BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00 @@ -209,6 +210,9 @@ cd python3 && make check && cd .. %changelog +* Tue May 25 2021 wangyue - 1.3.17-4 +- Fix CVE-2021-3504 + * Wed Oct 21 2020 leiju - 1.3.17-3 - remove python2 subpackage