Bug 1975489 (CVE-2021-3622)
Summary: | CVE-2021-3622 hivex: stack overflow due to recursive call of _get_children() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | ddepaula, jgalindo, kkiwi, mcascell, rjones, security-response-team, virt-maint | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | hivex-1.3.21 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: |
A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-08-31 18:56:15 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1976193, 1976194, 1976195, 1976196, 1989190 | ||||||||
Bug Blocks: | 1975490, 1976188 | ||||||||
Attachments: |
|
Description
Pedro Sampaio
2021-06-23 19:19:37 UTC
Created attachment 1799722 [details]
hivex_crash.zip
Reproducer hive is attached. (Note it's a password encrypted
ZIP file, the password is "hivex".)
I can only reproduce this bug using ASAN. Here's how: (1) Clone hivex from git (https://github.com/libguestfs/hivex) (2) Compile with: ./autogen.sh \ CFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O2 -fPIC" make (3) Run the following command to start the hivex shell: ./sh/hivexsh -u id\:000008\,sig\:11\,src\:000325+000218\,time\:386722627\,op\:splice\,rep\:16 (4) Type "ls" at the shell prompt. id:000008,sig:11,src:000325+000218,time:386722627,op:splice,rep:16\> ls AddressSanitizer:DEADLYSIGNAL ================================================================= ==1365280==ERROR: AddressSanitizer: stack-overflow on address 0x7fffd82f1ff8 (pc 0x7f4ae2736c18 bp 0x7fffd82f2010 sp 0x7fffd82f2000 T0) #0 0x7f4ae2736c18 in _hivex_add_to_offset_list /home/rjones/d/hivex/lib/offset-list.c:69 #1 0x7f4ae273132a in _get_children /home/rjones/d/hivex/lib/node.c:389 #2 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #3 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #4 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 ... #247 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #248 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 SUMMARY: AddressSanitizer: stack-overflow /home/rjones/d/hivex/lib/offset-list.c:69 in _hivex_add_to_offset_list ==1365280==ABORTING So even without ASAN, the code recursively calls _get_children and it would cause a stack overflow. Probably ASAN makes the stack frames a bit larger causing the error to happen with a smaller hive. It appears to be a security issue similar in severity to the last one that was reported (bug 1949687). Created attachment 1799738 [details]
0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch
With this patch you will see an error like this instead of a crash:
\> ls
hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
ls: Invalid argument
FWIW I ran an instrumented version of hivex over a small collection of real registry hives that I keep, and none of them had depth > 1. So in my opinion this patch is unlikely to affect any real hives that we would encounter. In reply to comment #7: > So even without ASAN, the code recursively calls _get_children > and it would cause a stack overflow. Probably ASAN makes the > stack frames a bit larger causing the error to happen with a > smaller hive. > > It appears to be a security issue similar in severity to the last > one that was reported (bug 1949687). Thanks for your comments and testing, Richard. I'd keep this flaw low severity, as it doesn't seem to have any direct impact on confidentiality/integrity, and only partial unavailability for the same reasons as the last one (i.e., the user can always retry the operation && a crash in hivex would not result in a crash in libguestfs). Since the embargo date has passed, this bug has now been made public: https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255 https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html Created hivex tracking bugs for this issue: Affects: fedora-all [bug 1989190] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3338 https://access.redhat.com/errata/RHSA-2021:3338 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3622 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759 |