diff --git a/SOURCES/0001-Fix-Perl-directory-install-path.patch b/SOURCES/0001-Fix-Perl-directory-install-path.patch index 4a37735..5c9a9a0 100644 --- a/SOURCES/0001-Fix-Perl-directory-install-path.patch +++ b/SOURCES/0001-Fix-Perl-directory-install-path.patch @@ -1,7 +1,7 @@ From 1c6bd6e0085204425d7c687f2566cb9b13231e6e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 17 Feb 2017 15:58:04 +0000 -Subject: [PATCH 01/14] Fix Perl directory install path. +Subject: [PATCH 01/15] Fix Perl directory install path. --- perl/Makefile.am | 2 +- diff --git a/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch b/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch index 3b2cda3..36bcd17 100644 --- a/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch +++ b/SOURCES/0002-value-Set-errno-0-on-non-error-path-in-hivex_value_d.patch @@ -1,7 +1,7 @@ From 6a4dac0da1f318a1114363b274fcee76e73fcccf Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 22 Sep 2014 15:08:44 +0100 -Subject: [PATCH 02/14] value: Set errno = 0 on non-error path in +Subject: [PATCH 02/15] value: Set errno = 0 on non-error path in hivex_value_data_cell_offset (RHBZ#1145056). hivex_value_data_cell_offset may return 0 to indicate that the data is diff --git a/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch b/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch index f322e57..f05c661 100644 --- a/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch +++ b/SOURCES/0003-hivexml-Tidy-up-error-handling-and-printing.patch @@ -1,7 +1,7 @@ From 2cffe999c938a0bc67c3c6162ea4fc896af2dd22 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 22 Sep 2014 15:10:36 +0100 -Subject: [PATCH 03/14] hivexml: Tidy up error handling and printing. +Subject: [PATCH 03/15] hivexml: Tidy up error handling and printing. (cherry picked from commit 914d9b9a91babf0227989bc7ea00cf5e41ed7da4) --- diff --git a/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch b/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch index 2335345..64b8633 100644 --- a/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch +++ b/SOURCES/0004-lib-Don-t-leak-errno-from-_hivex_recode-function.patch @@ -1,7 +1,7 @@ From 1d90ea86a0ac6c5863597880b33a18755aff819c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 20 Nov 2014 21:37:19 +0000 -Subject: [PATCH 04/14] lib: Don't leak errno from _hivex_recode function. +Subject: [PATCH 04/15] lib: Don't leak errno from _hivex_recode function. If iconv returns E2BIG, that's an internal indication for us, and not an error. Don't leak the errno up to the user, as happened here: diff --git a/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch b/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch index d9e0c91..71d2b61 100644 --- a/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch +++ b/SOURCES/0005-handle-Refuse-to-open-files-8192-bytes-in-size.patch @@ -1,7 +1,7 @@ From ebcb61e3d88d99b929b4d8ccaad837a871c102d8 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Oct 2014 13:50:39 +0000 -Subject: [PATCH 05/14] handle: Refuse to open files < 8192 bytes in size. +Subject: [PATCH 05/15] handle: Refuse to open files < 8192 bytes in size. These cannot be valid hives, since they don't contain a full header page and at least a single page of data (in other words they couldn't diff --git a/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch b/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch index 5ebc579..0f7b7a6 100644 --- a/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch +++ b/SOURCES/0006-handle-Check-that-pages-do-not-extend-beyond-the-end.patch @@ -1,7 +1,7 @@ From 5c718aab579d693ea3169ab4d29b5c3bc9105aa1 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 30 Oct 2014 14:02:25 +0000 -Subject: [PATCH 06/14] handle: Check that pages do not extend beyond the end +Subject: [PATCH 06/15] handle: Check that pages do not extend beyond the end of the file. Thanks: Mahmoud Al-Qudsi diff --git a/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch b/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch index 49ace22..7ee1c7d 100644 --- a/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch +++ b/SOURCES/0007-generator-Fix-a-spelling-mistake-in-the-documentatio.patch @@ -1,7 +1,7 @@ From 026a1a2e01795defcfe5b638347671e09fcec2b6 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 20 May 2014 10:48:40 +0100 -Subject: [PATCH 07/14] generator: Fix a spelling mistake in the documentation +Subject: [PATCH 07/15] generator: Fix a spelling mistake in the documentation (RHBZ#1099286). (cherry picked from commit cea8dbf029029a725768caa14ddc876f56bfd878) diff --git a/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch b/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch index 370604b..164ca2b 100644 --- a/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch +++ b/SOURCES/0008-add-HIVEX_OPEN_UNSAFE-flag.patch @@ -1,7 +1,7 @@ From 691f5532ab4138093cdd8c661aba7519b0b1e2ad Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:22 -0500 -Subject: [PATCH 08/14] add HIVEX_OPEN_UNSAFE flag. +Subject: [PATCH 08/15] add HIVEX_OPEN_UNSAFE flag. This flag will be used to control behavior of libhivex API functions so that they tolerate corruption in hives by either using heuristic diff --git a/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch b/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch index c83e06c..7abc166 100644 --- a/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch +++ b/SOURCES/0009-lib-change-how-hbin-sections-are-read.patch @@ -1,7 +1,7 @@ From f80b9b31f99ccdc06887c23dab46a37fc4f4ce74 Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:23 -0500 -Subject: [PATCH 09/14] lib: change how hbin sections are read. +Subject: [PATCH 09/15] lib: change how hbin sections are read. Only when HIVEX_OPEN_UNSAFE flag is set: diff --git a/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch b/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch index fa51e09..01ba628 100644 --- a/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch +++ b/SOURCES/0010-lib-allow-to-walk-registry-with-corrupted-blocks.patch @@ -1,7 +1,7 @@ From 8e187357f466c31a9e75ac4924b32bbf4823e73f Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:24 -0500 -Subject: [PATCH 10/14] lib: allow to walk registry with corrupted blocks +Subject: [PATCH 10/15] lib: allow to walk registry with corrupted blocks Only when HIVEX_OPEN_UNSAFE flag is set. diff --git a/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch b/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch index 0e4c16c..ec0e10a 100644 --- a/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch +++ b/SOURCES/0011-hivexsh-add-u-flag-for-HIVEX_OPEN_UNSAFE.patch @@ -1,7 +1,7 @@ From d4f5c255832391ba6132959d1ded57ce9286e7d6 Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:25 -0500 -Subject: [PATCH 11/14] hivexsh: add -u flag for HIVEX_OPEN_UNSAFE. +Subject: [PATCH 11/15] hivexsh: add -u flag for HIVEX_OPEN_UNSAFE. and pass it to hivex_open. Additionally make hivex_value_value failures non-critical in this mode when iterating through node children/values. diff --git a/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch b/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch index 7760e48..0e3a9c2 100644 --- a/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch +++ b/SOURCES/0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch @@ -1,7 +1,7 @@ From 362d5cd9b6527e4f9d3a3729afbe7cd90486c39d Mon Sep 17 00:00:00 2001 From: Dawid Zamirski Date: Thu, 16 Feb 2017 18:17:26 -0500 -Subject: [PATCH 12/14] hivexregedit: allow to pass HIVEX_OPEN_UNSAFE +Subject: [PATCH 12/15] hivexregedit: allow to pass HIVEX_OPEN_UNSAFE via new --unsafe flag. Also make --export catpure, log and skip over errors when reading subkeys/values so that export in unsafe mode does diff --git a/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch b/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch index 1e440d8..eb21439 100644 --- a/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch +++ b/SOURCES/0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch @@ -1,7 +1,7 @@ From 87410a2cdcfe6e3bf8822cd803c251a0de2156cd Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 20 Nov 2014 20:47:50 +0000 -Subject: [PATCH 13/14] lib: Increase HIVEX_MAX_SUBKEYS to 25000. +Subject: [PATCH 13/15] lib: Increase HIVEX_MAX_SUBKEYS to 25000. Thanks Nicolas Ecarnot who found a HKLM\SOFTWARE hive from a Windows XP machine which had an nk containing 18254 subkeys ( > current limit diff --git a/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch b/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch index d51eafa..b630322 100644 --- a/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch +++ b/SOURCES/0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch @@ -1,7 +1,7 @@ From d5ae3045970a815d2bdac768d6924b31f3b8b4ca Mon Sep 17 00:00:00 2001 From: Matt Coleman Date: Sat, 3 Dec 2016 15:25:43 -0500 -Subject: [PATCH 14/14] Increase HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES +Subject: [PATCH 14/15] Increase HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES This increases the defined limits based on counts observed in the Microsoft\Windows NT\CurrentVersion subkey of the software hive. diff --git a/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch b/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch new file mode 100644 index 0000000..a9bb8fc --- /dev/null +++ b/SOURCES/0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch @@ -0,0 +1,75 @@ +From 690e51511c532194fcff6450fe4e272a58920ba4 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 15 Apr 2021 15:50:13 +0100 +Subject: [PATCH 15/15] lib/handle.c: Bounds check for block exceeding page + length (CVE-2021-3504) + +Hives are encoded as fixed-sized pages containing smaller variable- +length blocks: + + +-------------------+-------------------+-------------------+-- + | header |[ blk ][blk][ blk ]|[blk][blk][blk] | + +-------------------+-------------------+-------------------+-- + +Blocks should not straddle a page boundary. However because blocks +contain a 32 bit length field it is possible to construct an invalid +hive where the last block in a page overlaps either the next page or +the end of the file: + + +-------------------+-------------------+ + | header |[ blk ][blk][ blk ..... ] + +-------------------+-------------------+ + +Hivex lacked a bounds check and would process the registry. Because +the rest of the code assumes this situation can never happen it was +possible to have a block containing some field (eg. a registry key +name) which would extend beyond the end of the file. Hivex mmaps or +mallocs the file, causing hivex to read memory beyond the end of the +mapped region, resulting in reading other memory structures or a +crash. (Writing beyond the end of the mapped region seems to be +impossible because we always allocate a new page before writing.) + +This commit adds a check which rejects the malformed registry on +hivex_open. + +Credit: Jeremy Galindo, Sr Security Engineer, Datto.com +Signed-off-by: Richard W.M. Jones +Fixes: CVE-2021-3504 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687 +--- + lib/handle.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/handle.c b/lib/handle.c +index 0d2b24b..b02808e 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -315,8 +315,8 @@ hivex_open (const char *filename, int flags) + if (seg_len <= 4 || (seg_len & 3) != 0) { + if (is_root || !h->unsafe) { + SET_ERRNO (ENOTSUP, +- "%s, the block at 0x%zx has invalid size %" PRIi32 +- ", bad registry", ++ "%s, the block at 0x%zx size %" PRIi32 ++ " <= 4 or not a multiple of 4, bad registry", + filename, blkoff, le32toh (block->seg_len)); + goto error; + } else { +@@ -327,6 +327,14 @@ hivex_open (const char *filename, int flags) + } + } + ++ if (blkoff + seg_len > off + page_size) { ++ SET_ERRNO (ENOTSUP, ++ "%s, the block at 0x%zx size %" PRIi32 ++ " extends beyond the current page, bad registry", ++ filename, blkoff, le32toh (block->seg_len)); ++ goto error; ++ } ++ + if (h->msglvl >= 2) { + unsigned char *id = (unsigned char *) block->id; + int id0 = id[0], id1 = id[1]; +-- +1.8.3.1 + diff --git a/SPECS/hivex.spec b/SPECS/hivex.spec index 501b05b..eeac7e9 100644 --- a/SPECS/hivex.spec +++ b/SPECS/hivex.spec @@ -7,7 +7,7 @@ Name: hivex Version: 1.3.10 -Release: 6.10%{?dist} +Release: 6.11%{?dist} Summary: Read and write Windows Registry binary hive files License: LGPLv2 @@ -45,6 +45,9 @@ Patch0012: 0012-hivexregedit-allow-to-pass-HIVEX_OPEN_UNSAFE.patch Patch0013: 0013-lib-Increase-HIVEX_MAX_SUBKEYS-to-25000.patch Patch0014: 0014-Increase-HIVEX_MAX_SUBKEYS-and-HIVEX_MAX_VALUES.patch +# Bounds check for block exceeding page length (CVE-2021-3504). +Patch0015: 0015-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch + # Patch generated code (because we can't assume we have OCaml on all # arches). To construct this you need to do 'make prep', run the # generator by hand, and diff before and after. @@ -300,6 +303,10 @@ rm $RPM_BUILD_ROOT%{python_sitearch}/libhivexmod.la %changelog +* Fri Apr 16 2021 Richard W.M. Jones - 1.3.10-6.11 +- Bounds check for block exceeding page length (CVE-2021-3504) + resolves: rhbz#1950500 + * Tue May 19 2020 Richard W.M. Jones - 1.3.10-6.10 - Increase limits on number of subkeys etc. resolves: rhbz#1822889