A flaw was found in libhivex. A stack overflow occurs as the children of each listed node grows. This causes the _get_children function to continue calling until it eventually overflows the stack and causes the program to crash. References: https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255 https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html
Created attachment 1799722 [details] hivex_crash.zip Reproducer hive is attached. (Note it's a password encrypted ZIP file, the password is "hivex".)
I can only reproduce this bug using ASAN. Here's how: (1) Clone hivex from git (https://github.com/libguestfs/hivex) (2) Compile with: ./autogen.sh \ CFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O2 -fPIC" make (3) Run the following command to start the hivex shell: ./sh/hivexsh -u id\:000008\,sig\:11\,src\:000325+000218\,time\:386722627\,op\:splice\,rep\:16 (4) Type "ls" at the shell prompt. id:000008,sig:11,src:000325+000218,time:386722627,op:splice,rep:16\> ls AddressSanitizer:DEADLYSIGNAL ================================================================= ==1365280==ERROR: AddressSanitizer: stack-overflow on address 0x7fffd82f1ff8 (pc 0x7f4ae2736c18 bp 0x7fffd82f2010 sp 0x7fffd82f2000 T0) #0 0x7f4ae2736c18 in _hivex_add_to_offset_list /home/rjones/d/hivex/lib/offset-list.c:69 #1 0x7f4ae273132a in _get_children /home/rjones/d/hivex/lib/node.c:389 #2 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #3 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #4 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 ... #247 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 #248 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489 SUMMARY: AddressSanitizer: stack-overflow /home/rjones/d/hivex/lib/offset-list.c:69 in _hivex_add_to_offset_list ==1365280==ABORTING
So even without ASAN, the code recursively calls _get_children and it would cause a stack overflow. Probably ASAN makes the stack frames a bit larger causing the error to happen with a smaller hive. It appears to be a security issue similar in severity to the last one that was reported (bug 1949687).
Created attachment 1799738 [details] 0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch With this patch you will see an error like this instead of a crash: \> ls hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32 ls: Invalid argument
FWIW I ran an instrumented version of hivex over a small collection of real registry hives that I keep, and none of them had depth > 1. So in my opinion this patch is unlikely to affect any real hives that we would encounter.
In reply to comment #7: > So even without ASAN, the code recursively calls _get_children > and it would cause a stack overflow. Probably ASAN makes the > stack frames a bit larger causing the error to happen with a > smaller hive. > > It appears to be a security issue similar in severity to the last > one that was reported (bug 1949687). Thanks for your comments and testing, Richard. I'd keep this flaw low severity, as it doesn't seem to have any direct impact on confidentiality/integrity, and only partial unavailability for the same reasons as the last one (i.e., the user can always retry the operation && a crash in hivex would not result in a crash in libguestfs).
Since the embargo date has passed, this bug has now been made public: https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255 https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html
Created hivex tracking bugs for this issue: Affects: fedora-all [bug 1989190]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3338 https://access.redhat.com/errata/RHSA-2021:3338
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3622
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759