Bug 1158992
| Summary: | CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Richard W.M. Jones <rjones> | |
| Component: | hivex | Assignee: | Richard W.M. Jones <rjones> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | lkong | |
| Target Milestone: | rc | Keywords: | Security, SecurityTracking | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | hivex-1.3.10-5.4.el7 | Doc Type: | Release Note | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1158993 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 13:42:14 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1158993, 1167756 | |||
|
Description
Richard W.M. Jones
2014-10-30 16:08:07 UTC
Can reproduce with hivex-1.3.10-5.3.el7 Steps to reproduce: $ echo -n 'reg' > small $ valgrind hivexsh -w small ==8879== Memcheck, a memory error detector ==8879== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==8879== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==8879== Command: hivexsh -w small ==8879== ==8879== Invalid read of size 1 ==8879== at 0x4E35EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==8879== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==8879== by 0x401B54: ??? (in /usr/bin/hivexsh) ==8879== by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so) ==8879== Address 0x587bac3 is 0 bytes after a block of size 3 alloc'd ==8879== at 0x4C28BBD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==8879== by 0x4E35E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==8879== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==8879== by 0x401B54: ??? (in /usr/bin/hivexsh) ==8879== by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so) ==8879== hivexsh: failed to open hive file: small: Operation not supported If you think this file is a valid Windows binary hive file (_not_ a regedit *.reg file) then please run this command again using the hivexsh option '-d' and attach the complete output _and_ the hive file which fails into a bug report at https://bugzilla.redhat.com/ [...] hivexsh try to read from beyond its allocated buffer. Verify with hivex-1.3.10-5.4.el7 Steps to verify: 1. # echo -n 'reg' > small 2. # valgrind hivexsh -w small ==17521== Memcheck, a memory error detector ==17521== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==17521== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==17521== Command: hivexsh -w small ==17521== hivexsh: failed to open hive file: small: Invalid argument If you think this file is a valid Windows binary hive file (_not_ a regedit *.reg file) then please run this command again using the hivexsh option '-d' and attach the complete output _and_ the hive file which fails into a bug report at https://bugzilla.redhat.com/ ==17521== ==17521== HEAP SUMMARY: ==17521== in use at exit: 3 bytes in 1 blocks ==17521== total heap usage: 99 allocs, 98 frees, 20,805 bytes allocated ==17521== ==17521== LEAK SUMMARY: ==17521== definitely lost: 0 bytes in 0 blocks ==17521== indirectly lost: 0 bytes in 0 blocks ==17521== possibly lost: 0 bytes in 0 blocks ==17521== still reachable: 3 bytes in 1 blocks ==17521== suppressed: 0 bytes in 0 blocks ==17521== Rerun with --leak-check=full to see details of leaked memory ==17521== ==17521== For counts of detected and suppressed errors, rerun with: -v ==17521== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2) In the results can not find such lines: ==7030== Invalid read of size 1 ==7030== at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) ==7030== Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd ==7030== at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7030== by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) So bug is fixed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0301.html |