packages/hivex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:f40fcfe764e4831a3ed04d241c8669935d640de7
Branches Tags
packages:main
..
compare: packages:925d738d8362466e052bef4727ab160f08f52a05
Branches Tags
packages:main

No commits in common. "f40fcfe764e4831a3ed04d241c8669935d640de7" and "925d738d8362466e052bef4727ab160f08f52a05" have entirely different histories.
f40fcfe764 ... 925d738d83

4 changed files with 23 additions and 216 deletions
Show Stats Expand all files Collapse all files

25
0001-lib-node.c-Fix-minor-typo-in-error-message.patch
View File

@ -1,25 +0,0 @@
From bb92eed6b57ed29d8230ca688ff73771b8b7e845 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 16 Jul 2021 09:49:04 +0100
Subject: [PATCH] lib/node.c: Fix minor typo in error message
---
lib/node.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/node.c b/lib/node.c
index 21cd127..7b002a4 100644
--- a/lib/node.c
+++ b/lib/node.c
@@ -346,7 +346,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
if (!h->unsafe) {
SET_ERRNO (ENOTSUP,
"nr_subkeys_in_nk = %zu "
- "is not equal to number of childred read %zu",
+ "is not equal to number of children read %zu",
nr_subkeys_in_nk, nr_children);
goto error;
} else {
--
2.33.0

72
CVE-2021-3504.patch
View File

@ -1,72 +0,0 @@
From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 15 Apr 2021 15:50:13 +0100
Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
(CVE-2021-3504)
Hives are encoded as fixed-sized pages containing smaller variable-
length blocks:
+-------------------+-------------------+-------------------+--
| header |[ blk ][blk][ blk ]|[blk][blk][blk] |
+-------------------+-------------------+-------------------+--
Blocks should not straddle a page boundary. However because blocks
contain a 32 bit length field it is possible to construct an invalid
hive where the last block in a page overlaps either the next page or
the end of the file:
+-------------------+-------------------+
| header |[ blk ][blk][ blk ..... ]
+-------------------+-------------------+
Hivex lacked a bounds check and would process the registry. Because
the rest of the code assumes this situation can never happen it was
possible to have a block containing some field (eg. a registry key
name) which would extend beyond the end of the file. Hivex mmaps or
mallocs the file, causing hivex to read memory beyond the end of the
mapped region, resulting in reading other memory structures or a
crash. (Writing beyond the end of the mapped region seems to be
impossible because we always allocate a new page before writing.)
This commit adds a check which rejects the malformed registry on
hivex_open.
Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: CVE-2021-3504
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
---
lib/handle.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/handle.c b/lib/handle.c
index 88b1563..2e4231a 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
#pragma GCC diagnostic pop
if (is_root || !h->unsafe) {
SET_ERRNO (ENOTSUP,
- "%s, the block at 0x%zx has invalid size %" PRIu32
- ", bad registry",
+ "%s, the block at 0x%zx size %" PRIu32
+ " <= 4 or not a multiple of 4, bad registry",
filename, blkoff, le32toh (block->seg_len));
goto error;
} else {
@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
}
}
+ if (blkoff + seg_len > off + page_size) {
+ SET_ERRNO (ENOTSUP,
+ "%s, the block at 0x%zx size %" PRIu32
+ " extends beyond the current page, bad registry",
+ filename, blkoff, le32toh (block->seg_len));
+ goto error;
+ }
+
if (h->msglvl >= 2) {
unsigned char *id = (unsigned char *) block->id;
int id0 = id[0], id1 = id[1];

92
CVE-2021-3622.patch
View File

@ -1,92 +0,0 @@
From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 8 Jul 2021 19:00:45 +0100
Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622)
Windows Registry hive "ri"-records are arbitrarily nested B-tree-like
structures:
+-------------+
| ri |
|-------------|
| nr_offsets |
| offset[0] ------> points to another lf/lh/li/ri block
| offset[1] ------>
| offset[2] ------>
+-------------+
It is possible to construct a hive with a very deeply nested tree of
ri-records, causing the internal _get_children function to recurse to
any depth which can cause programs linked to hivex to crash with a
stack overflow.
Since it is not thought that deeply nested ri-records occur in real
hives, limit recursion depth. If you hit this limit you will see the
following error and the operation will return an error instead of
crashing:
\> ls
hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
ls: Invalid argument
Thanks to Jeremy Galindo for finding and reporting this bug.
Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: CVE-2021-3622
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489
(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e)
---
lib/node.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/lib/node.c b/lib/node.c
index 7b002a4..eb7fe93 100644
--- a/lib/node.c
+++ b/lib/node.c
@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node)
static int _get_children (hive_h *h, hive_node_h blkoff,
offset_list *children, offset_list *blocks,
- int flags);
+ int flags, unsigned depth);
static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags);
/* Iterate over children (ie. subkeys of a node), returning child
@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
goto error;
}
- if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1)
+ if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1)
goto error;
/* Check the number of children we ended up reading matches
@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node,
static int
_get_children (hive_h *h, hive_node_h blkoff,
offset_list *children, offset_list *blocks,
- int flags)
+ int flags, unsigned depth)
{
/* Add this intermediate block. */
if (_hivex_add_to_offset_list (blocks, blkoff) == -1)
@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff,
}
}
- if (_get_children (h, offset, children, blocks, flags) == -1)
+ /* Although in theory hive ri records might be nested to any
+ * depth, in practice this is unlikely. Recursing here caused
+ * CVE-2021-3622. Thus limit the depth we will recurse to
+ * something small.
+ */
+ if (depth >= 32) {
+ SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth);
+ return -1;
+ }
+
+ if (_get_children (h, offset, children, blocks, flags, depth+1) == -1)
return -1;
}
}

50
hivex.spec
View File

@ -1,4 +1,4 @@
%ifarch %{ocaml_native_compiler} loongarch64 sw_64 %ifarch %{ocaml_native_compiler}
%bcond_without ocaml %bcond_without ocaml
%else %else
%bcond_with ocaml %bcond_with ocaml
@ -6,16 +6,14 @@
Name: hivex Name: hivex
Version: 1.3.17 Version: 1.3.17
Release: 7 Release: 2
Summary: Windows Registry "hive" extraction library Summary: Windows Registry "hive" extraction library
License: LGPLv2 License: LGPLv2
URL: http://libguestfs.org/ URL: http://libguestfs.org/
Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz Source0: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz
Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig Source1: http://libguestfs.org/download/hivex/%{name}-%{version}.tar.gz.sig
Source2: libguestfs.keyring Source2: libguestfs.keyring
Patch0: CVE-2021-3504.patch
Patch1: CVE-2021-3622.patch
Patch2: 0001-lib-node.c-Fix-minor-typo-in-error-message.patch
BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00 BuildRequires: perl-interpreter, perl, perl-podlators, perl-devel, perl-generators, perl(bytes), perl(Carp), perl(Encode), perl(ExtUtils::MakeMaker), perl(Exporter), perl(IO::Scalar), perl(IO::Stringy), perl(strict), perl(Test::More), perl(utf8), perl(vars), perl(warnings), perl(XSLoader), perl(Test::Pod) >= 1.00, perl(Test::Pod::Coverage) >= 1.00
@ -24,7 +22,7 @@ BuildRequires: ocaml
BuildRequires: ocaml-findlib-devel BuildRequires: ocaml-findlib-devel
%endif %endif
BuildRequires: python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2 BuildRequires: python2-devel, python-unversioned-command, python3-devel, ruby-devel, rubygem-rake, rubygem(json), rubygem(minitest), rubygem(rdoc), readline-devel, libxml2-devel, gnupg2
Provides: bundled(gnulib) Provides: bundled(gnulib)
@ -90,6 +88,18 @@ Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $versio
%description -n perl-%{name} %description -n perl-%{name}
Perl bindings for %{name} are included in perl-%{name}. Perl bindings for %{name} are included in perl-%{name}.
%package -n python2-%{name}
Summary: Provide python 2 bindings for %{name}
Requires: %{name} = %{version}-%{release}
Obsoletes: python-%{name} < %{version}-%{release}
Provides: python-%{name} = %{version}-%{release}
%description -n python2-%{name}
Python 2 bindings for %{name} are included in python2-%{name}.
%package -n python3-%{name} %package -n python3-%{name}
Summary: Provide python 3 bindings for %{name} Summary: Provide python 3 bindings for %{name}
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
@ -138,10 +148,6 @@ cd python3
cd .. cd ..
%make_install INSTALLDIRS=vendor %make_install INSTALLDIRS=vendor
%ifarch sw_64
chmod 644 %{buildroot}%{_libdir}/perl5/vendor_perl/auto/Win/Hivex/Hivex.so
%endif
%find_lang %{name} %find_lang %{name}
@ -159,6 +165,7 @@ cd python3 && make check && cd ..
%{_libdir}/libhivex.so.* %{_libdir}/libhivex.so.*
%exclude %{_libdir}/libhivex.la %exclude %{_libdir}/libhivex.la
%exclude %{_libdir}/perl5/perllocal.pod %exclude %{_libdir}/perl5/perllocal.pod
%exclude %{python2_sitearch}/libhivexmod.la
%exclude %{python3_sitearch}/libhivexmod.la %exclude %{python3_sitearch}/libhivexmod.la
@ -194,10 +201,8 @@ cd python3 && make check && cd ..
%files -n ocaml-%{name}-devel %files -n ocaml-%{name}-devel
%{_libdir}/ocaml/hivex/*.a %{_libdir}/ocaml/hivex/*.a
%ifnarch loongarch64 sw_64
%{_libdir}/ocaml/hivex/*.cmxa %{_libdir}/ocaml/hivex/*.cmxa
%{_libdir}/ocaml/hivex/*.cmx %{_libdir}/ocaml/hivex/*.cmx
%endif
%{_libdir}/ocaml/hivex/*.mli %{_libdir}/ocaml/hivex/*.mli
%endif %endif
@ -206,6 +211,12 @@ cd python3 && make check && cd ..
%{perl_vendorarch}/* %{perl_vendorarch}/*
%{_bindir}/hivexregedit %{_bindir}/hivexregedit
%files -n python2-%{name}
%{python2_sitearch}/hivex/
%{python2_sitearch}/*.so
%files -n python3-%{name} %files -n python3-%{name}
%{python3_sitearch}/hivex/ %{python3_sitearch}/hivex/
%{python3_sitearch}/*.so %{python3_sitearch}/*.so
@ -218,20 +229,5 @@ cd python3 && make check && cd ..
%changelog %changelog
* Thu Dec 21 2023 liyuanyuan <liyuanyuan@xfusion.com> - 1.3.17-7
- lib/node.c: Fix minor typo in error message
* Mon May 29 2023 guoqinglan <guoqinglan@kylinsec.com.cn> - 1.3.17-6
- generate ocaml sub-packages for sw_64 and loongarch64
* Fri Sep 24 2021 yaoxin <yaoxin30@huawei.com> - 1.3.17-5
- Fix CVE-2021-3622
* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 1.3.17-4
- Fix CVE-2021-3504
* Wed Oct 21 2020 leiju <leiju4@163.com> - 1.3.17-3
- remove python2 subpackage
* Sat Nov 30 2019 jiaxiya <jiaxiyajiaxiya@163.com> - 1.3.17-2 * Sat Nov 30 2019 jiaxiya <jiaxiyajiaxiya@163.com> - 1.3.17-2
- Package init - Package init