From 19acb08d7f1d9757ecb3bef9e7e0c46a86e6f155 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 24 Sep 2021 09:50:37 +0800
Subject: [PATCH] fix CVE-2021-3622

---
 CVE-2021-3622.patch | 92 +++++++++++++++++++++++++++++++++++++++++++++
 hivex.spec          |  6 ++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-3622.patch

diff --git a/CVE-2021-3622.patch b/CVE-2021-3622.patch
new file mode 100644
index 0000000..dd3c553
--- /dev/null
+++ b/CVE-2021-3622.patch
@@ -0,0 +1,92 @@
+From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 8 Jul 2021 19:00:45 +0100
+Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
+
+Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
+structures:
+
+  +-------------+
+  | ri          |
+  |-------------|
+  | nr_offsets  |
+  |   offset[0] ------>  points to another lf/lh/li/ri block
+  |   offset[1] ------>
+  |   offset[2] ------>
+  +-------------+
+
+It is possible to construct a hive with a very deeply nested tree of
+ri-records, causing the internal _get_children function to recurse to
+any depth which can cause programs linked to hivex to crash with a
+stack overflow.
+
+Since it is not thought that deeply nested ri-records occur in real
+hives, limit recursion depth.  If you hit this limit you will see the
+following error and the operation will return an error instead of
+crashing:
+
+  \> ls
+  hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
+  ls: Invalid argument
+
+Thanks to Jeremy Galindo for finding and reporting this bug.
+
+Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3622
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
+(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
+---
+ lib/node.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/lib/node.c b/lib/node.c
+index 7b002a4..eb7fe93 100644
+--- a/lib/node.c
++++ b/lib/node.c
+@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
+ 
+ static int _get_children (hive_h *h, hive_node_h blkoff,
+                           offset_list *children, offset_list *blocks,
+-                          int flags);
++                          int flags, unsigned depth);
+ static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
+ 
+ /* Iterate over children (ie. subkeys of a node), returning child
+@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+     goto error;
+   }
+ 
+-  if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
++  if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
+     goto error;
+ 
+   /* Check the number of children we ended up reading matches
+@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
+ static int
+ _get_children (hive_h *h, hive_node_h blkoff,
+                offset_list *children, offset_list *blocks,
+-               int flags)
++               int flags, unsigned depth)
+ {
+   /* Add this intermediate block. */
+   if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
+@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
+         }
+       }
+ 
+-      if (_get_children (h, offset, children, blocks, flags) == -1)
++      /* Although in theory hive ri records might be nested to any
++       * depth, in practice this is unlikely.  Recursing here caused
++       * CVE-2021-3622.  Thus limit the depth we will recurse to
++       * something small.
++       */
++      if (depth >= 32) {
++        SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
++        return -1;
++      }
++
++      if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
+         return -1;
+     }
+   }
diff --git a/hivex.spec b/hivex.spec
index 7990145..01e1b84 100644
--- a/hivex.spec
+++ b/hivex.spec
@@ -6,7 +6,7 @@
 
 Name:           hivex
 Version:        1.3.17
-Release:        4
+Release:        5
 Summary:        Windows Registry "hive" extraction library
 License:        LGPLv2
 URL:            http://libguestfs.org/
@@ -14,6 +14,7 @@ Source0:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
 Source1:        http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
 Source2:        libguestfs.keyring
 Patch0:         CVE-2021-3504.patch
+Patch1:         CVE-2021-3622.patch
 
 BuildRequires:  perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
 
@@ -210,6 +211,9 @@ cd python3 && make check && cd ..
 
 
 %changelog
+* Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-5
+- Fix CVE-2021-3622
+
 * Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-4
 - Fix CVE-2021-3504