mrc0mmand / rpms / hivex
Forked from rpms/hivex 3 years ago
7483d8
import hivex-1.3.18-21.module+el8.5.0+10709+b3edb581
Authored and Committed by 
centosrcm
3 years ago
SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
ADDED
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
From 61f4928dcc31b91aaf3bcbcf2898f8f09586a213 Mon Sep 17 00:00:00 2001
|
|
2
|
+
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
3
|
+
Date: Thu, 15 Apr 2021 15:50:13 +0100
|
|
4
|
+
Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
|
|
5
|
+
(CVE-2021-3504)
|
|
6
|
+
|
|
7
|
+
Hives are encoded as fixed-sized pages containing smaller variable-
|
|
8
|
+
length blocks:
|
|
9
|
+
|
|
10
|
+
+-------------------+-------------------+-------------------+--
|
|
11
|
+
| header |[ blk ][blk][ blk ]|[blk][blk][blk] |
|
|
12
|
+
+-------------------+-------------------+-------------------+--
|
|
13
|
+
|
|
14
|
+
Blocks should not straddle a page boundary. However because blocks
|
|
15
|
+
contain a 32 bit length field it is possible to construct an invalid
|
|
16
|
+
hive where the last block in a page overlaps either the next page or
|
|
17
|
+
the end of the file:
|
|
18
|
+
|
|
19
|
+
+-------------------+-------------------+
|
|
20
|
+
| header |[ blk ][blk][ blk ..... ]
|
|
21
|
+
+-------------------+-------------------+
|
|
22
|
+
|
|
23
|
+
Hivex lacked a bounds check and would process the registry. Because
|
|
24
|
+
the rest of the code assumes this situation can never happen it was
|
|
25
|
+
possible to have a block containing some field (eg. a registry key
|
|
26
|
+
name) which would extend beyond the end of the file. Hivex mmaps or
|
|
27
|
+
mallocs the file, causing hivex to read memory beyond the end of the
|
|
28
|
+
mapped region, resulting in reading other memory structures or a
|
|
29
|
+
crash. (Writing beyond the end of the mapped region seems to be
|
|
30
|
+
impossible because we always allocate a new page before writing.)
|
|
31
|
+
|
|
32
|
+
This commit adds a check which rejects the malformed registry on
|
|
33
|
+
hivex_open.
|
|
34
|
+
|
|
35
|
+
Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
|
|
36
|
+
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
|
|
37
|
+
Fixes: CVE-2021-3504
|
|
38
|
+
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
|
|
39
|
+
---
|
|
40
|
+
lib/handle.c | 12 ++++++++++--
|
|
41
|
+
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
42
|
+
|
|
43
|
+
diff --git a/lib/handle.c b/lib/handle.c
|
|
44
|
+
index 88b1563f..2e4231a5 100644
|
|
45
|
+
--- a/lib/handle.c
|
|
46
|
+
+++ b/lib/handle.c
|
|
47
|
+
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
|
|
48
|
+
#pragma GCC diagnostic pop
|
|
49
|
+
if (is_root || !h->unsafe) {
|
|
50
|
+
SET_ERRNO (ENOTSUP,
|
|
51
|
+
- "%s, the block at 0x%zx has invalid size %" PRIu32
|
|
52
|
+
- ", bad registry",
|
|
53
|
+
+ "%s, the block at 0x%zx size %" PRIu32
|
|
54
|
+
+ " <= 4 or not a multiple of 4, bad registry",
|
|
55
|
+
filename, blkoff, le32toh (block->seg_len));
|
|
56
|
+
goto error;
|
|
57
|
+
} else {
|
|
58
|
+
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
+ if (blkoff + seg_len > off + page_size) {
|
|
63
|
+
+ SET_ERRNO (ENOTSUP,
|
|
64
|
+
+ "%s, the block at 0x%zx size %" PRIu32
|
|
65
|
+
+ " extends beyond the current page, bad registry",
|
|
66
|
+
+ filename, blkoff, le32toh (block->seg_len));
|
|
67
|
+
+ goto error;
|
|
68
|
+
+ }
|
|
69
|
+
+
|
|
70
|
+
if (h->msglvl >= 2) {
|
|
71
|
+
unsigned char *id = (unsigned char *) block->id;
|
|
72
|
+
int id0 = id[0], id1 = id[1];
|
|
73
|
+
--
|
|
74
|
+
2.29.2
|
|
75
|
+
|
SPECS/hivex.spec
CHANGED
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
|
|
11
11
|
Name: hivex
|
|
12
12
|
Version: 1.3.18
|
|
13
|
-
Release:
|
|
13
|
+
Release: 21%{?dist}
|
|
14
14
|
Summary: Read and write Windows Registry binary hive files
|
|
15
15
|
|
|
16
16
|
License: LGPLv2
|
|
@@ -30,6 +30,9 @@ Source2: libguestfs.keyring
|
|
|
30
30
|
Patch0001: 0001-Win-Hivex-Regedit-Accept-CRLF-line-endings.patch
|
|
31
31
|
Patch0002: 0002-Win-Hivex-Regedit-Ignore-comments.patch
|
|
32
32
|
|
|
33
|
+
# Bounds check for block exceeding page length (CVE-2021-3504).
|
|
34
|
+
Patch0003: 0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
|
|
35
|
+
|
|
33
36
|
BuildRequires: perl-interpreter
|
|
34
37
|
BuildRequires: perl-devel
|
|
35
38
|
BuildRequires: perl-generators
|
|
@@ -274,6 +277,10 @@ fi
|
|
|
274
277
|
|
|
275
278
|
|
|
276
279
|
%changelog
|
|
280
|
+
* Sat Apr 17 2021 Richard W.M. Jones <rjones@redhat.com> - 1.3.18-21
|
|
281
|
+
- Bounds check for block exceeding page length (CVE-2021-3504)
|
|
282
|
+
resolves: rhbz#1950501
|
|
283
|
+
|
|
277
284
|
* Mon Apr 27 2020 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.3.18
|
|
278
285
|
- Resolves: bz#1810193
|
|
279
286
|
(Upgrade components in virt:rhel module:stream for RHEL-8.3 release)
|