packages/hivex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-3504

Browse Source
This commit is contained in:
wang_yue111 2021-05-25 14:43:49 +08:00
parent c1700b8dcf
commit 4d3f4c6332
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
CVE-2021-3504.patch Normal file
View File

@ -0,0 +1,72 @@
From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 15 Apr 2021 15:50:13 +0100
Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
(CVE-2021-3504)
Hives are encoded as fixed-sized pages containing smaller variable-
length blocks:
+-------------------+-------------------+-------------------+--
| header |[ blk ][blk][ blk ]|[blk][blk][blk] |
+-------------------+-------------------+-------------------+--
Blocks should not straddle a page boundary. However because blocks
contain a 32 bit length field it is possible to construct an invalid
hive where the last block in a page overlaps either the next page or
the end of the file:
+-------------------+-------------------+
| header |[ blk ][blk][ blk ..... ]
+-------------------+-------------------+
Hivex lacked a bounds check and would process the registry. Because
the rest of the code assumes this situation can never happen it was
possible to have a block containing some field (eg. a registry key
name) which would extend beyond the end of the file. Hivex mmaps or
mallocs the file, causing hivex to read memory beyond the end of the
mapped region, resulting in reading other memory structures or a
crash. (Writing beyond the end of the mapped region seems to be
impossible because we always allocate a new page before writing.)
This commit adds a check which rejects the malformed registry on
hivex_open.
Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: CVE-2021-3504
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
---
lib/handle.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/handle.c b/lib/handle.c
index 88b1563..2e4231a 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
#pragma GCC diagnostic pop
if (is_root || !h->unsafe) {
SET_ERRNO (ENOTSUP,
- "%s, the block at 0x%zx has invalid size %" PRIu32
- ", bad registry",
+ "%s, the block at 0x%zx size %" PRIu32
+ " <= 4 or not a multiple of 4, bad registry",
filename, blkoff, le32toh (block->seg_len));
goto error;
} else {
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
}
}
+ if (blkoff + seg_len > off + page_size) {
+ SET_ERRNO (ENOTSUP,
+ "%s, the block at 0x%zx size %" PRIu32
+ " extends beyond the current page, bad registry",
+ filename, blkoff, le32toh (block->seg_len));
+ goto error;
+ }
+
if (h->msglvl >= 2) {
unsigned char *id = (unsigned char *) block->id;
int id0 = id[0], id1 = id[1];

6
hivex.spec
View File

@ -6,13 +6,14 @@
Name: hivex
Version: 1.3.17
Release: 3
Release: 4
Summary: Windows Registry "hive" extraction library
License: LGPLv2
URL: http://libguestfs.org/
Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
Source2: libguestfs.keyring
Patch0: CVE-2021-3504.patch
BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
@ -209,6 +210,9 @@ cd python3 && make check && cd ..
%changelog
* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-4
- Fix CVE-2021-3504
* Wed Oct 21 2020 leiju <leiju4@163.com> - 1.3.17-3
- remove python2 subpackage