diff --git a/SOURCES/0001-Fix-Perl-directory-install-path.patch b/SOURCES/0001-Fix-Perl-directory-install-path.patch index 5c9a9a0..2eda4cf 100644 --- a/SOURCES/0001-Fix-Perl-directory-install-path.patch +++ b/SOURCES/0001-Fix-Perl-directory-install-path.patch @@ -1,7 +1,7 @@ From 1c6bd6e0085204425d7c687f2566cb9b13231e6e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 17 Feb 2017 15:58:04 +0000 -Subject: [PATCH 01/15] Fix Perl directory install path. +Subject: [PATCH 01/16] Fix Perl directory install path. --- perl/Makefile.am | 2 +- diff --git a/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch b/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch index 36bcd17..3063c43 100644 --- a/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch +++ b/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch @@ -1,7 +1,7 @@ From 6a4dac0da1f318a1114363b274fcee76e73fcccf Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 22 Sep 2014 15:08:44 +0100 -Subject: [PATCH 02/15] value: Set errno = 0 on non-error path in +Subject: [PATCH 02/16] value: Set errno = 0 on non-error path in hivex_value_data_cell_offset (RHBZ#1145056). hivex_value_data_cell_offset may return 0 to indicate that the data is diff --git a/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch b/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch index f05c661..c05fb3f 100644 --- a/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch +++ b/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch @@ -1,7 +1,7 @@ From 2cffe999c938a0bc67c3c6162ea4fc896af2dd22 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 22 Sep 2014 15:10:36 +0100 -Subject: [PATCH 03/15] hivexml: Tidy up error handling and printing. +Subject: [PATCH 03/16] hivexml: Tidy up error handling and printing. (cherry picked from commit 914d9b9a91babf0227989bc7ea00cf5e41ed7da4) --- diff --git a/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch b/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch index 64b8633..63e53ba 100644 --- a/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch +++ b/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch @@ -1,7 +1,7 @@ From 1d90ea86a0ac6c5863597880b33a18755aff819c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 20 Nov 2014 21:37:19 +0000 -Subject: [PATCH 04/15] lib: Don't leak errno from _hivex_recode function. +Subject: [PATCH 04/16] lib: Don't leak errno from _hivex_recode function. If iconv returns E2BIG, that's an internal indication for us, and not an error. Don't leak the errno up to the user, as happened here: diff --git a/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch b/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch index 71d2b61..3e722c4 100644 --- a/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch +++ b/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch @@ -1,7 +1,7 @@ From ebcb61e3d88d99b929b4d8ccaad837a871c102d8 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Oct 2014 13:50:39 +0000 -Subject: [PATCH 05/15] handle: Refuse to open files < 8192 bytes in size. +Subject: [PATCH 05/16] handle: Refuse to open files < 8192 bytes in size. These cannot be valid hives, since they don't contain a full header page and at least a single page of data (in other words they couldn't diff --git a/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch b/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch index 0f7b7a6..7b63746 100644 --- a/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch +++ b/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch @@ -1,7 +1,7 @@ From 5c718aab579d693ea3169ab4d29b5c3bc9105aa1 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Oct 2014 14:02:25 +0000 -Subject: [PATCH 06/15] handle: Check that pages do not extend beyond the end +Subject: [PATCH 06/16] handle: Check that pages do not extend beyond the end of the file. Thanks: Mahmoud Al-Qudsi diff --git a/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch b/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch index 7ee1c7d..7e38460 100644 --- a/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch +++ b/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch @@ -1,7 +1,7 @@ From 026a1a2e01795defcfe5b638347671e09fcec2b6 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 20 May 2014 10:48:40 +0100 -Subject: [PATCH 07/15] generator: Fix a spelling mistake in the documentation +Subject: [PATCH 07/16] generator: Fix a spelling mistake in the documentation (RHBZ#1099286). (cherry picked from commit cea8dbf029029a725768caa14ddc876f56bfd878) diff --git a/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch b/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch index 164ca2b..5e7ef74 100644 --- a/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch +++ b/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch @@ -1,7 +1,7 @@ From 691f5532ab4138093cdd8c661aba7519b0b1e2ad Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:22 -0500 -Subject: [PATCH 08/15] add HIVEX_OPEN_UNSAFE flag. +Subject: [PATCH 08/16] add HIVEX_OPEN_UNSAFE flag. This flag will be used to control behavior of libhivex API functions so that they tolerate corruption in hives by either using heuristic diff --git a/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch b/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch index 7abc166..c921619 100644 --- a/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch +++ b/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch @@ -1,7 +1,7 @@ From f80b9b31f99ccdc06887c23dab46a37fc4f4ce74 Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:23 -0500 -Subject: [PATCH 09/15] lib: change how hbin sections are read. +Subject: [PATCH 09/16] lib: change how hbin sections are read. Only when HIVEX_OPEN_UNSAFE flag is set: diff --git a/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch b/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch index 01ba628..8c92eb1 100644 --- a/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch +++ b/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch @@ -1,7 +1,7 @@ From 8e187357f466c31a9e75ac4924b32bbf4823e73f Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:24 -0500 -Subject: [PATCH 10/15] lib: allow to walk registry with corrupted blocks +Subject: [PATCH 10/16] lib: allow to walk registry with corrupted blocks Only when HIVEX_OPEN_UNSAFE flag is set. diff --git a/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch b/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch index ec0e10a..8217616 100644 --- a/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch +++ b/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch @@ -1,7 +1,7 @@ From d4f5c255832391ba6132959d1ded57ce9286e7d6 Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:25 -0500 -Subject: [PATCH 11/15] hivexsh: add -u flag for HIVEX_OPEN_UNSAFE. +Subject: [PATCH 11/16] hivexsh: add -u flag for HIVEX_OPEN_UNSAFE. and pass it to hivex_open. Additionally make hivex_value_value failures non-critical in this mode when iterating through node children/values. diff --git a/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch b/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch index 0e3a9c2..97a6f5a 100644 --- a/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch +++ b/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch @@ -1,7 +1,7 @@ From 362d5cd9b6527e4f9d3a3729afbe7cd90486c39d Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:26 -0500 -Subject: [PATCH 12/15] hivexregedit: allow to pass HIVEX_OPEN_UNSAFE +Subject: [PATCH 12/16] hivexregedit: allow to pass HIVEX_OPEN_UNSAFE via new --unsafe flag. Also make --export catpure, log and skip over errors when reading subkeys/values so that export in unsafe mode does diff --git a/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch b/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch index eb21439..92723a0 100644 --- a/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch +++ b/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch @@ -1,7 +1,7 @@ From 87410a2cdcfe6e3bf8822cd803c251a0de2156cd Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 20 Nov 2014 20:47:50 +0000 -Subject: [PATCH 13/15] lib: Increase HIVEX_MAX_SUBKEYS to 25000. +Subject: [PATCH 13/16] lib: Increase HIVEX_MAX_SUBKEYS to 25000. Thanks Nicolas Ecarnot who found a HKLM\SOFTWARE hive from a Windows XP machine which had an nk containing 18254 subkeys ( > current limit diff --git a/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch b/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch index b630322..7edb0b6 100644 --- a/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch +++ b/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch @@ -1,7 +1,7 @@ From d5ae3045970a815d2bdac768d6924b31f3b8b4ca Mon Sep 17 00:00:00 2001 From: Matt Coleman Date: Sat, 3 Dec 2016 15:25:43 -0500 -Subject: [PATCH 14/15] Increase HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES +Subject: [PATCH 14/16] Increase HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES This increases the defined limits based on counts observed in the Microsoft\Windows NT\CurrentVersion subkey of the software hive. diff --git a/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch b/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch index a9bb8fc..2b4aa64 100644 --- a/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch +++ b/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch @@ -1,7 +1,7 @@ From 690e51511c532194fcff6450fe4e272a58920ba4 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 15 Apr 2021 15:50:13 +0100 -Subject: [PATCH 15/15] lib/handle.c: Bounds check for block exceeding page +Subject: [PATCH 15/16] lib/handle.c: Bounds check for block exceeding page length (CVE-2021-3504) Hives are encoded as fixed-sized pages containing smaller variable- diff --git a/SOURCES/0016-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch b/SOURCES/0016-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch new file mode 100644 index 0000000..57c6226 --- /dev/null +++ b/SOURCES/0016-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch @@ -0,0 +1,97 @@ +From a71071230eb0726a9c9211048dc27b12613058a2 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 8 Jul 2021 19:00:45 +0100 +Subject: [PATCH 16/16] lib/node.c: Limit recursion in ri-records + (CVE-2021-3622) + +Windows Registry hive "ri"-records are arbitrarily nested B-tree-like +structures: + + +-------------+ + | ri | + |-------------| + | nr_offsets | + | offset[0] ------> points to another lf/lh/li/ri block + | offset[1] ------> + | offset[2] ------> + +-------------+ + +It is possible to construct a hive with a very deeply nested tree of +ri-records, causing the internal _get_children function to recurse to +any depth which can cause programs linked to hivex to crash with a +stack overflow. + +Since it is not thought that deeply nested ri-records occur in real +hives, limit recursion depth. If you hit this limit you will see the +following error and the operation will return an error instead of +crashing: + + \> ls + hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32 + ls: Invalid argument + +Thanks to Jeremy Galindo for finding and reporting this bug. + +Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com +Signed-off-by: Richard W.M. Jones +Fixes: CVE-2021-3622 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489 +(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e) +(cherry picked from commit 771728218dac2fbf6997a7e53225e75a4c6b7255) +--- + lib/node.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/lib/node.c b/lib/node.c +index a90c964..c13b894 100644 +--- a/lib/node.c ++++ b/lib/node.c +@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node) + + static int _get_children (hive_h *h, hive_node_h blkoff, + offset_list *children, offset_list *blocks, +- int flags); ++ int flags, unsigned depth); + static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags); + + /* Iterate over children (ie. subkeys of a node), returning child +@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, + goto error; + } + +- if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1) ++ if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1) + goto error; + + /* Check the number of children we ended up reading matches +@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, + static int + _get_children (hive_h *h, hive_node_h blkoff, + offset_list *children, offset_list *blocks, +- int flags) ++ int flags, unsigned depth) + { + /* Add this intermediate block. */ + if (_hivex_add_to_offset_list (blocks, blkoff) == -1) +@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff, + } + } + +- if (_get_children (h, offset, children, blocks, flags) == -1) ++ /* Although in theory hive ri records might be nested to any ++ * depth, in practice this is unlikely. Recursing here caused ++ * CVE-2021-3622. Thus limit the depth we will recurse to ++ * something small. ++ */ ++ if (depth >= 32) { ++ SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth); ++ return -1; ++ } ++ ++ if (_get_children (h, offset, children, blocks, flags, depth+1) == -1) + return -1; + } + } +-- +1.8.3.1 + diff --git a/SPECS/hivex.spec b/SPECS/hivex.spec index eeac7e9..6e5cf25 100644 --- a/SPECS/hivex.spec +++ b/SPECS/hivex.spec @@ -7,7 +7,7 @@ Name: hivex Version: 1.3.10 -Release: 6.11%{?dist} +Release: 6.12%{?dist} Summary: Read and write Windows Registry binary hive files License: LGPLv2 @@ -48,6 +48,9 @@ Patch0014: 0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch # Bounds check for block exceeding page length (CVE-2021-3504). Patch0015: 0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch +# Limit recursion in ri-records (CVE-2021-3622). +Patch0016: 0016-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch + # Patch generated code (because we can't assume we have OCaml on all # arches). To construct this you need to do 'make prep', run the # generator by hand, and diff before and after. @@ -303,6 +306,10 @@ rm $RPM_BUILD_ROOT%{python_sitearch}/libhivexmod.la %changelog +* Mon Aug 2 2021 Richard W.M. Jones - 1.3.10-6.12 +- Limit recursion in ri-records (CVE-2021-3622) + resolves: rhbz#1976193 + * Fri Apr 16 2021 Richard W.M. Jones - 1.3.10-6.11 - Bounds check for block exceeding page length (CVE-2021-3504) resolves: rhbz#1950500