Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1158993 - CVE-2014-9273 hivex: missing checks for small/truncated files [rhel-6.7]
CVE-2014-9273 hivex: missing checks for small/truncated files [rhel-6.7]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: hivex (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Richard W.M. Jones
Virtualization Bugs
: Security, SecurityTracking
Depends On: 1158992
Blocks: CVE-2014-9273
  Show dependency treegraph
 
Reported: 2014-10-30 12:11 EDT by Richard W.M. Jones
Modified: 2015-07-22 03:17 EDT (History)
4 users (show)

See Also:
Fixed In Version: hivex-1.3.3-4.3.el6
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1158992
Environment:
Last Closed: 2015-07-22 03:17:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1378 normal SHIPPED_LIVE Moderate: hivex security and bug fix update 2015-07-20 13:58:31 EDT

  None (edit)
Description Richard W.M. Jones 2014-10-30 12:11:09 EDT 
+++ This bug was initially created as a clone of Bug #1158992 +++

Description of problem:

This issue was discovered and reported by Mahmoud Al-Qudsi, here:
https://www.redhat.com/archives/libguestfs/2014-October/thread.html#00235

If you present hivex with a too-small file, or certain truncated
or improperly formed files, then it will (at least) try to read
from beyond its allocated buffer.  It may even try to write, but
we didn't prove that.

Version-Release number of selected component (if applicable):

All versions of hivex < 1.3.11

How reproducible:

100%

Steps to Reproduce:

$ echo -n 'reg' > small
$ valgrind hivexsh -w small
[...]
==7030== Invalid read of size 1
==7030==    at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
==7030==  Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd
==7030==    at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7030==    by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
[...]

This is by no means exhaustive.  With a properly malicious
file, it's probably possible to get it to read up to 4095 bytes
beyond the end of the allocated buffer.

Additional info:

I've added two patches upstream which add some additional
checks:

https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705

These should probably be considered for RHEL 7.
Comment 3 Hu Zhang 2015-05-05 01:45:18 EDT 
Verified with hivex-1.3.3-4.3.el6

Steps to verify:
1. # echo -n 'reg' > small
2. # valgrind hivexsh -w small
==16890== Memcheck, a memory error detector
==16890== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==16890== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==16890== Command: hivexsh -w small
==16890== 
small: file is too small to be a Windows NT Registry hive filehivexsh: failed to open hive file: small: Invalid argument

If you think this file is a valid Windows binary hive file (_not_
a regedit *.reg file) then please run this command again using the
hivexsh option '-d' and attach the complete output _and_ the hive file
which fails into a bug report at https://bugzilla.redhat.com/

==16890== 
==16890== HEAP SUMMARY:
==16890==     in use at exit: 3 bytes in 1 blocks
==16890==   total heap usage: 99 allocs, 98 frees, 20,805 bytes allocated
==16890== 
==16890== LEAK SUMMARY:
==16890==    definitely lost: 0 bytes in 0 blocks
==16890==    indirectly lost: 0 bytes in 0 blocks
==16890==      possibly lost: 0 bytes in 0 blocks
==16890==    still reachable: 3 bytes in 1 blocks
==16890==         suppressed: 0 bytes in 0 blocks
==16890== Rerun with --leak-check=full to see details of leaked memory
==16890== 
==16890== For counts of detected and suppressed errors, rerun with: -v
==16890== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)


In the results can not find such lines:
==7030== Invalid read of size 1
==7030==    at 0x4E33EBC: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)
==7030==  Address 0x5879ac3 is 0 bytes after a block of size 3 alloc'd
==7030==    at 0x4C2845D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==7030==    by 0x4E33E57: hivex_open (in /usr/lib64/libhivex.so.0.0.0)
==7030==    by 0x4033B8: ??? (in /usr/bin/hivexsh)
==7030==    by 0x401B54: ??? (in /usr/bin/hivexsh)
==7030==    by 0x52ACAF4: (below main) (in /usr/lib64/libc-2.17.so)

So bug is fixed
Comment 4 errata-xmlrpc 2015-07-22 03:17:14 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1378.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.