A flaw was found in libhivex. A stack overflow occurs as the children of each listed node grows. This causes the _get_children function to continue calling until it eventually overflows the stack and causes the program to crash.
Created attachment 1799722 [details]
Reproducer hive is attached. (Note it's a password encrypted
ZIP file, the password is "hivex".)
I can only reproduce this bug using ASAN. Here's how:
(1) Clone hivex from git (https://github.com/libguestfs/hivex)
(2) Compile with:
CFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g -O2 -fPIC"
(3) Run the following command to start the hivex shell:
./sh/hivexsh -u id\:000008\,sig\:11\,src\:000325+000218\,time\:386722627\,op\:splice\,rep\:16
(4) Type "ls" at the shell prompt.
==1365280==ERROR: AddressSanitizer: stack-overflow on address 0x7fffd82f1ff8 (pc 0x7f4ae2736c18 bp 0x7fffd82f2010 sp 0x7fffd82f2000 T0)
#0 0x7f4ae2736c18 in _hivex_add_to_offset_list /home/rjones/d/hivex/lib/offset-list.c:69
#1 0x7f4ae273132a in _get_children /home/rjones/d/hivex/lib/node.c:389
#2 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489
#3 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489
#4 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489
#247 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489
#248 0x7f4ae2731726 in _get_children /home/rjones/d/hivex/lib/node.c:489
SUMMARY: AddressSanitizer: stack-overflow /home/rjones/d/hivex/lib/offset-list.c:69 in _hivex_add_to_offset_list
So even without ASAN, the code recursively calls _get_children
and it would cause a stack overflow. Probably ASAN makes the
stack frames a bit larger causing the error to happen with a
It appears to be a security issue similar in severity to the last
one that was reported (bug 1949687).
Created attachment 1799738 [details]
With this patch you will see an error like this instead of a crash:
hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32
ls: Invalid argument
FWIW I ran an instrumented version of hivex over a small collection
of real registry hives that I keep, and none of them had depth > 1.
So in my opinion this patch is unlikely to affect any real hives
that we would encounter.
In reply to comment #7:
> So even without ASAN, the code recursively calls _get_children
> and it would cause a stack overflow. Probably ASAN makes the
> stack frames a bit larger causing the error to happen with a
> smaller hive.
> It appears to be a security issue similar in severity to the last
> one that was reported (bug 1949687).
Thanks for your comments and testing, Richard. I'd keep this flaw low severity, as it doesn't seem to have any direct impact on confidentiality/integrity, and only partial unavailability for the same reasons as the last one (i.e., the user can always retry the operation && a crash in hivex would not result in a crash in libguestfs).
Since the embargo date has passed, this bug has now been made public:
Created hivex tracking bugs for this issue:
Affects: fedora-all [bug 1989190]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2021:3338 https://access.redhat.com/errata/RHSA-2021:3338
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):