Bug 1158992 - CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1]
Summary: CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: hivex
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1158993 CVE-2014-9273
TreeView+ depends on / blocked
 
Reported: 2014-10-30 16:08 UTC by Richard W.M. Jones
Modified: 2015-03-05 13:42 UTC (History)
1 user (show)

Fixed In Version: hivex-1.3.10-5.4.el7
Doc Type: Release Note
Doc Text:
Clone Of:
: 1158993 (view as bug list)
Environment:
Last Closed: 2015-03-05 13:42:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0301 0 normal SHIPPED_LIVE Moderate: hivex security, bug fix, and enhancement update 2015-03-05 17:34:28 UTC

Description Richard W.M. Jones 2014-10-30 16:08:07 UTC
Description of problem:

This issue was discovered and reported by Mahmoud Al-Qudsi, here:
https://www.redhat.com/archives/libguestfs/2014-October/thread.html#00235

If you present hivex with a too-small file, or certain truncated
or improperly formed files, then it will (at least) try to read
from beyond its allocated buffer.  It may even try to write, but
we didn't prove that.

Version-Release number of selected component (if applicable):

All versions of hivex < 1.3.11

How reproducible:

100%

Steps to Reproduce:

$ echo -n 'reg' > small
$ valgrind hivexsh -w small
[...]
==7030== Invalid read of size 1
==7030==    at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
==7030==  Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd
==7030==    at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7030==    by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
[...]

This is by no means exhaustive.  With a properly malicious
file, it's probably possible to get it to read up to 4095 bytes
beyond the end of the allocated buffer.

Additional info:

I've added two patches upstream which add some additional
checks:

https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705

These should probably be considered for RHEL 7.

Comment 1 Lingfei Kong 2014-11-10 03:02:08 UTC
Can reproduce with hivex-1.3.10-5.3.el7

Steps to reproduce:
$ echo -n 'reg' > small
$ valgrind hivexsh -w small
==8879== Memcheck, a memory error detector
==8879== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8879== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==8879== Command: hivexsh -w small
==8879== 
==8879== Invalid read of size 1
==8879==    at 0x4E35EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==8879==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==8879==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==8879==    by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so)
==8879==  Address 0x587bac3 is 0 bytes after a block of size 3 alloc'd
==8879==    at 0x4C28BBD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==8879==    by 0x4E35E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==8879==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==8879==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==8879==    by 0x52AEAF4: (below main) (in /usr/lib64/libc-2.17.so)
==8879== 
hivexsh: failed to open hive file: small: Operation not supported

If you think this file is a valid Windows binary hive file (_not_
a regedit *.reg file) then please run this command again using the
hivexsh option '-d' and attach the complete output _and_ the hive file
which fails into a bug report at https://bugzilla.redhat.com/
[...]

hivexsh try to read from beyond its allocated buffer.

Comment 3 Lingfei Kong 2014-11-18 03:10:52 UTC
Verify with hivex-1.3.10-5.4.el7

Steps to verify:
1. # echo -n 'reg' > small
2. # valgrind hivexsh -w small
==17521== Memcheck, a memory error detector
==17521== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17521== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==17521== Command: hivexsh -w small
==17521== 
hivexsh: failed to open hive file: small: Invalid argument

If you think this file is a valid Windows binary hive file (_not_
a regedit *.reg file) then please run this command again using the
hivexsh option '-d' and attach the complete output _and_ the hive file
which fails into a bug report at https://bugzilla.redhat.com/

==17521== 
==17521== HEAP SUMMARY:
==17521==     in use at exit: 3 bytes in 1 blocks
==17521==   total heap usage: 99 allocs, 98 frees, 20,805 bytes allocated
==17521== 
==17521== LEAK SUMMARY:
==17521==    definitely lost: 0 bytes in 0 blocks
==17521==    indirectly lost: 0 bytes in 0 blocks
==17521==      possibly lost: 0 bytes in 0 blocks
==17521==    still reachable: 3 bytes in 1 blocks
==17521==         suppressed: 0 bytes in 0 blocks
==17521== Rerun with --leak-check=full to see details of leaked memory
==17521== 
==17521== For counts of detected and suppressed errors, rerun with: -v
==17521== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)


In the results can not find such lines:
==7030== Invalid read of size 1
==7030==    at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
==7030==  Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd
==7030==    at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7030==    by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)

So bug is fixed

Comment 5 errata-xmlrpc 2015-03-05 13:42:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0301.html


Note You need to log in before you can comment on or make changes to this bug.