Bug 1158993
| Summary: | CVE-2014-9273 hivex: missing checks for small/truncated files [rhel-6.7] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Richard W.M. Jones <rjones> |
| Component: | hivex | Assignee: | Richard W.M. Jones <rjones> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | CC: | huzhan, leiwang, virt-bugs, wshi |
| Target Milestone: | rc | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | hivex-1.3.3-4.3.el6 | Doc Type: | Release Note |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1158992 | Environment: | |
| Last Closed: | 2015-07-22 07:17:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1158992 | ||
| Bug Blocks: | 1167756 | ||
|
Description
Richard W.M. Jones
2014-10-30 16:11:09 UTC
Verified with hivex-1.3.3-4.3.el6 Steps to verify: 1. # echo -n 'reg' > small 2. # valgrind hivexsh -w small ==16890== Memcheck, a memory error detector ==16890== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==16890== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==16890== Command: hivexsh -w small ==16890== small: file is too small to be a Windows NT Registry hive filehivexsh: failed to open hive file: small: Invalid argument If you think this file is a valid Windows binary hive file (_not_ a regedit *.reg file) then please run this command again using the hivexsh option '-d' and attach the complete output _and_ the hive file which fails into a bug report at https://bugzilla.redhat.com/ ==16890== ==16890== HEAP SUMMARY: ==16890== in use at exit: 3 bytes in 1 blocks ==16890== total heap usage: 99 allocs, 98 frees, 20,805 bytes allocated ==16890== ==16890== LEAK SUMMARY: ==16890== definitely lost: 0 bytes in 0 blocks ==16890== indirectly lost: 0 bytes in 0 blocks ==16890== possibly lost: 0 bytes in 0 blocks ==16890== still reachable: 3 bytes in 1 blocks ==16890== suppressed: 0 bytes in 0 blocks ==16890== Rerun with --leak-check=full to see details of leaked memory ==16890== ==16890== For counts of detected and suppressed errors, rerun with: -v ==16890== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6) In the results can not find such lines: ==7030== Invalid read of size 1 ==7030== at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) ==7030== Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd ==7030== at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7030== by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) So bug is fixed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1378.html |