Red Hat Bugzilla – Bug 1158992
CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1]
Last modified: 2015-03-05 08:42:14 EST
Description of problem: This issue was discovered and reported by Mahmoud Al-Qudsi, here: https://www.redhat.com/archives/libguestfs/2014-October/thread.html#00235 If you present hivex with a too-small file, or certain truncated or improperly formed files, then it will (at least) try to read from beyond its allocated buffer. It may even try to write, but we didn't prove that. Version-Release number of selected component (if applicable): All versions of hivex < 1.3.11 How reproducible: 100% Steps to Reproduce: $ echo -n 'reg' > small $ valgrind hivexsh -w small [...] ==7030== Invalid read of size 1 ==7030== at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) ==7030== Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd ==7030== at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7030== by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) [...] This is by no means exhaustive. With a properly malicious file, it's probably possible to get it to read up to 4095 bytes beyond the end of the allocated buffer. Additional info: I've added two patches upstream which add some additional checks: https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705 These should probably be considered for RHEL 7.
Can reproduce with hivex-1.3.10-5.3.el7 Steps to reproduce: $ echo -n 'reg' > small $ valgrind hivexsh -w small ==8879== Memcheck, a memory error detector ==8879== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==8879== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==8879== Command: hivexsh -w small ==8879== ==8879== Invalid read of size 1 ==8879== at 0x4E35EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==8879== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==8879== by 0x401B54: ??? (in /usr/bin/hivexsh) ==8879== by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so) ==8879== Address 0x587bac3 is 0 bytes after a block of size 3 alloc'd ==8879== at 0x4C28BBD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==8879== by 0x4E35E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==8879== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==8879== by 0x401B54: ??? (in /usr/bin/hivexsh) ==8879== by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so) ==8879== hivexsh: failed to open hive file: small: Operation not supported If you think this file is a valid Windows binary hive file (_not_ a regedit *.reg file) then please run this command again using the hivexsh option '-d' and attach the complete output _and_ the hive file which fails into a bug report at https://bugzilla.redhat.com/ [...] hivexsh try to read from beyond its allocated buffer.
Verify with hivex-1.3.10-5.4.el7 Steps to verify: 1. # echo -n 'reg' > small 2. # valgrind hivexsh -w small ==17521== Memcheck, a memory error detector ==17521== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==17521== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==17521== Command: hivexsh -w small ==17521== hivexsh: failed to open hive file: small: Invalid argument If you think this file is a valid Windows binary hive file (_not_ a regedit *.reg file) then please run this command again using the hivexsh option '-d' and attach the complete output _and_ the hive file which fails into a bug report at https://bugzilla.redhat.com/ ==17521== ==17521== HEAP SUMMARY: ==17521== in use at exit: 3 bytes in 1 blocks ==17521== total heap usage: 99 allocs, 98 frees, 20,805 bytes allocated ==17521== ==17521== LEAK SUMMARY: ==17521== definitely lost: 0 bytes in 0 blocks ==17521== indirectly lost: 0 bytes in 0 blocks ==17521== possibly lost: 0 bytes in 0 blocks ==17521== still reachable: 3 bytes in 1 blocks ==17521== suppressed: 0 bytes in 0 blocks ==17521== Rerun with --leak-check=full to see details of leaked memory ==17521== ==17521== For counts of detected and suppressed errors, rerun with: -v ==17521== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2) In the results can not find such lines: ==7030== Invalid read of size 1 ==7030== at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) ==7030== Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd ==7030== at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7030== by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0) ==7030== by 0x4033B8: ??? (in /usr/bin/hivexsh) ==7030== by 0x401B54: ??? (in /usr/bin/hivexsh) ==7030== by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so) So bug is fixed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0301.html