Created attachment 346851 [details] Windows registry file 'system' [I'm filing a bug here because upstream doesn't have a bug tracker. Once I've gathered all the necessary information, I will email the upstream author.] On a 'system' registry downloaded from a Windows XP machine, the reged command fails: gdb --args reged -x system HKEY_LOCAL_MACHINE\\SYSTEM \\ system.reg [...] *** buffer overflow detected ***: /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3646ef7537] /lib64/libc.so.6[0x3646ef5590] /lib64/libc.so.6(__strncpy_chk+0x17b)[0x3646ef484b] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x40598e] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405dc0] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x40130a] /lib64/libc.so.6(__libc_start_main+0xfd)[0x3646e1ea2d] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x401039] ======= Memory map: ======== 00400000-0040c000 r-xp 00000000 fd:00 873802 /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged 0060b000-0060c000 rw-p 0000b000 fd:00 873802 /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged 0060c000-0062d000 rw-p 0060c000 00:00 0 [heap] 3646a00000-3646a1f000 r-xp 00000000 fd:00 806406 /lib64/ld-2.10.1.so 3646c1e000-3646c1f000 r--p 0001e000 fd:00 806406 /lib64/ld-2.10.1.so 3646c1f000-3646c20000 rw-p 0001f000 fd:00 806406 /lib64/ld-2.10.1.so 3646e00000-3646f64000 r-xp 00000000 fd:00 806527 /lib64/libc-2.10.1.so 3646f64000-3647164000 ---p 00164000 fd:00 806527 /lib64/libc-2.10.1.so 3647164000-3647168000 r--p 00164000 fd:00 806527 /lib64/libc-2.10.1.so 3647168000-3647169000 rw-p 00168000 fd:00 806527 /lib64/libc-2.10.1.so 3647169000-364716e000 rw-p 3647169000 00:00 0 3651400000-3651419000 r-xp 00000000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 3651419000-3651619000 ---p 00019000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 3651619000-365161a000 rw-p 00019000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 7ffff7cdb000-7ffff7fde000 rw-p 7ffff7cdb000 00:00 0 7ffff7ffa000-7ffff7ffe000 rw-p 7ffff7ffa000 00:00 0 7ffff7ffe000-7ffff7fff000 r-xp 7ffff7ffe000 00:00 0 [vdso] 7ffffffea000-7ffffffff000 rw-p 7ffffffea000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x0000003646e332f5 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64 libgcc-4.4.0-4.x86_64 (gdb) bt #0 0x0000003646e332f5 in raise () from /lib64/libc.so.6 #1 0x0000003646e34b20 in abort () from /lib64/libc.so.6 #2 0x0000003646e7005d in __libc_message () from /lib64/libc.so.6 #3 0x0000003646ef7537 in __fortify_fail () from /lib64/libc.so.6 #4 0x0000003646ef5590 in __chk_fail () from /lib64/libc.so.6 #5 0x0000003646ef484b in __strncpy_chk () from /lib64/libc.so.6 #6 0x000000000040598e in strncpy (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at /usr/include/bits/string3.h:122 #7 export_subkey (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at ntreg.c:2629 #8 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=135452, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2699 #9 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=132444, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2699 #10 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4940, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2699 #11 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4540, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2699 #12 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4132, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2699 #13 0x0000000000405dc0 in export_key (hdesc=0x60c010, nkofs=0, name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "system.reg", prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2733 #14 0x000000000040130a in main (argc=<value optimized out>, argv=<value optimized out>) at reged.c:132 Version: chntpw-080526 (chntpw-0.99.6-7.fc12).
Created attachment 346852 [details] Patch to fix buffer overflow. This patch fixes the first problem (the buffer overflow). Unfortunately that just exposes a second problem which I'm still looking into: *** stack smashing detected ***: /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3646ef7537] /lib64/libc.so.6(__fortify_fail+0x0)[0x3646ef7500] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405c98] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405d20] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x4012ba] /lib64/libc.so.6(__libc_start_main+0xfd)[0x3646e1ea2d] /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x400fe9] ======= Memory map: ======== 00400000-0040c000 r-xp 00000000 fd:00 873976 /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged 0060b000-0060c000 rw-p 0000b000 fd:00 873976 /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged 0060c000-0062d000 rw-p 0060c000 00:00 0 [heap] 3646a00000-3646a1f000 r-xp 00000000 fd:00 806406 /lib64/ld-2.10.1.so 3646c1e000-3646c1f000 r--p 0001e000 fd:00 806406 /lib64/ld-2.10.1.so 3646c1f000-3646c20000 rw-p 0001f000 fd:00 806406 /lib64/ld-2.10.1.so 3646e00000-3646f64000 r-xp 00000000 fd:00 806527 /lib64/libc-2.10.1.so 3646f64000-3647164000 ---p 00164000 fd:00 806527 /lib64/libc-2.10.1.so 3647164000-3647168000 r--p 00164000 fd:00 806527 /lib64/libc-2.10.1.so 3647168000-3647169000 rw-p 00168000 fd:00 806527 /lib64/libc-2.10.1.so 3647169000-364716e000 rw-p 3647169000 00:00 0 3651400000-3651419000 r-xp 00000000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 3651419000-3651619000 ---p 00019000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 3651619000-365161a000 rw-p 00019000 fd:00 809466 /lib64/libgcc_s-4.4.0-20090506.so.1 7ffff7cdb000-7ffff7fde000 rw-p 7ffff7cdb000 00:00 0 7ffff7ffa000-7ffff7ffe000 rw-p 7ffff7ffa000 00:00 0 7ffff7ffe000-7ffff7fff000 r-xp 7ffff7ffe000 00:00 0 [vdso] 7ffffffea000-7ffffffff000 rw-p 7ffffffea000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x0000003646e332f5 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64 libgcc-4.4.0-4.x86_64 (gdb) bt #0 0x0000003646e332f5 in raise () from /lib64/libc.so.6 #1 0x0000003646e34b20 in abort () from /lib64/libc.so.6 #2 0x0000003646e7005d in __libc_message () from /lib64/libc.so.6 #3 0x0000003646ef7537 in __fortify_fail () from /lib64/libc.so.6 #4 0x0000003646ef7500 in __stack_chk_fail () from /lib64/libc.so.6 #5 0x0000000000405c98 in export_subkey (hdesc=0x60c010, nkofs=6340624, name=0x8 <Address 0x8 out of bounds>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2698 #6 0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4940, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2694 #7 0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4540, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2694 #8 0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4132, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2694 #9 0x0000000000405d20 in export_key (hdesc=0x60c010, nkofs=0, name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "/tmp/pp/system.reg", prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2728 #10 0x00000000004012ba in main (argc=<value optimized out>, argv=<value optimized out>) at reged.c:132 (gdb) frame 5 #5 0x0000000000405c98 in export_subkey (hdesc=0x60c010, nkofs=6340624, name=0x8 <Address 0x8 out of bounds>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2698 2698 } (gdb) print *key $1 = {id = 27502, type = 32, timestamp = "\264N\240\347s\213\311\1\0\0\0", ofs_parent = 840, no_subkeys = 0, dummy1 = "\0\0\0", ofs_lf = -1, dummy2 = "\377\377\377\377", no_values = 7, ofs_vallist = 1736, ofs_sk = 536, ofs_classnam = -1, dummy3 = "\0\0\0\0\0\0\0\0\20\0\0\0\b\0\0", dummy4 = 0, len_name = 3, len_classnam = 0, keyname = "A"}
Created attachment 346870 [details] Fix stack smash in get_abs_path This second patch fixes a bug in get_abs_path which caused the stack to be smashed. The problem in the original code is this line: strncpy(path+key->len_name+1,tmp,maxlen); strncpy always copies maxlen bytes (maxlen is incorrect here) which corrupts the stack. I've replaced this with simplified code. However it *still* fails further along. The new error is: Program received signal SIGSEGV, Segmentation fault. 0x0000000000405ba0 in fprintf (__fmt=<value optimized out>, __stream=<value optimized out>) at /usr/include/bits/stdio2.h:98 98 return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt, Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64 (gdb) bt #0 0x0000000000405ba0 in fprintf (__fmt=<value optimized out>, __stream=<value optimized out>) at /usr/include/bits/stdio2.h:98 #1 export_subkey (__fmt=<value optimized out>, __stream=<value optimized out>) at ntreg.c:2681 #2 0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4132, name=<value optimized out>, prefix=<value optimized out>, file=0x60c080) at ntreg.c:2695 #3 0x0000000000405d20 in export_key (hdesc=0x60c010, nkofs=0, name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "/tmp/pp/system.reg", prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2729 #4 0x00000000004012ba in main (argc=<value optimized out>, argv=<value optimized out>) at reged.c:132
Created attachment 346873 [details] Fix case where get_val_* functions return errors. This final patch fixes another problem. Functions get_val_data and get_val_len can return NULL and -1 respectively to indicate some sort of error. The code didn't check for this and tried to dereference the resulting pointer and/or print an "infinite" length buffer. My fix checks for these conditions and stops it from printing the key/value. However I don't know and don't really care to find out whether these "missing" keys in Windows Registry entries have any other significance.
The above means I can now successfully print the Windows Registry HKEY_LOCAL_MACHINE\System tree from my test box. I will now send this bug report to the upstream author.
Created attachment 346883 [details] Proposed patch to chntpw.spec Proposed patch to chntpw.spec to include the patches. Do you mind if I commit this? The patches have been sent upstream.
No, I don't mind at all -- thank you very much for the work you've put into this!
I think on reflection I'm going to leave it a day while I do further testing on my Windows VMs and see if I get any response from upstream.
Works for me.
chntpw-0.99.6-8.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/chntpw-0.99.6-8.fc11
chntpw-0.99.6-5.fc10.1 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/chntpw-0.99.6-5.fc10.1
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
chntpw-0.99.6-8.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update chntpw'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-6179
chntpw-0.99.6-5.fc10.1 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update chntpw'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-6467
chntpw-0.99.6-8.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
chntpw-0.99.6-5.fc10.1 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.