This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 504580 - reged "buffer overflow detected" on system registry
reged "buffer overflow detected" on system registry
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: chntpw (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Conrad Meyer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-08 06:57 EDT by Richard W.M. Jones
Modified: 2009-07-03 15:53 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.99.6-5.fc10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-03 15:35:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Windows registry file 'system' (3.00 MB, application/octet-stream)
2009-06-08 06:57 EDT, Richard W.M. Jones
no flags Details
Patch to fix buffer overflow. (740 bytes, patch)
2009-06-08 07:12 EDT, Richard W.M. Jones
no flags Details | Diff
Fix stack smash in get_abs_path (848 bytes, patch)
2009-06-08 09:41 EDT, Richard W.M. Jones
no flags Details | Diff
Fix case where get_val_* functions return errors. (1.33 KB, patch)
2009-06-08 09:53 EDT, Richard W.M. Jones
no flags Details | Diff
Proposed patch to chntpw.spec (1.39 KB, patch)
2009-06-08 10:07 EDT, Richard W.M. Jones
no flags Details | Diff

  None (edit)
Description Richard W.M. Jones 2009-06-08 06:57:05 EDT
Created attachment 346851 [details]
Windows registry file 'system'

[I'm filing a bug here because upstream doesn't have a bug
tracker.  Once I've gathered all the necessary information,
I will email the upstream author.]

On a 'system' registry downloaded from a Windows XP machine,
the reged command fails:

gdb --args reged -x system HKEY_LOCAL_MACHINE\\SYSTEM \\ system.reg
[...]
*** buffer overflow detected ***: /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3646ef7537]
/lib64/libc.so.6[0x3646ef5590]
/lib64/libc.so.6(__strncpy_chk+0x17b)[0x3646ef484b]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x40598e]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405bd2]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405dc0]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x40130a]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3646e1ea2d]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x401039]
======= Memory map: ========
00400000-0040c000 r-xp 00000000 fd:00 873802                             /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged
0060b000-0060c000 rw-p 0000b000 fd:00 873802                             /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged
0060c000-0062d000 rw-p 0060c000 00:00 0                                  [heap]
3646a00000-3646a1f000 r-xp 00000000 fd:00 806406                         /lib64/ld-2.10.1.so
3646c1e000-3646c1f000 r--p 0001e000 fd:00 806406                         /lib64/ld-2.10.1.so
3646c1f000-3646c20000 rw-p 0001f000 fd:00 806406                         /lib64/ld-2.10.1.so
3646e00000-3646f64000 r-xp 00000000 fd:00 806527                         /lib64/libc-2.10.1.so
3646f64000-3647164000 ---p 00164000 fd:00 806527                         /lib64/libc-2.10.1.so
3647164000-3647168000 r--p 00164000 fd:00 806527                         /lib64/libc-2.10.1.so
3647168000-3647169000 rw-p 00168000 fd:00 806527                         /lib64/libc-2.10.1.so
3647169000-364716e000 rw-p 3647169000 00:00 0 
3651400000-3651419000 r-xp 00000000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
3651419000-3651619000 ---p 00019000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
3651619000-365161a000 rw-p 00019000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
7ffff7cdb000-7ffff7fde000 rw-p 7ffff7cdb000 00:00 0 
7ffff7ffa000-7ffff7ffe000 rw-p 7ffff7ffa000 00:00 0 
7ffff7ffe000-7ffff7fff000 r-xp 7ffff7ffe000 00:00 0                      [vdso]
7ffffffea000-7ffffffff000 rw-p 7ffffffea000 00:00 0                      [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x0000003646e332f5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64 libgcc-4.4.0-4.x86_64
(gdb) bt
#0  0x0000003646e332f5 in raise () from /lib64/libc.so.6
#1  0x0000003646e34b20 in abort () from /lib64/libc.so.6
#2  0x0000003646e7005d in __libc_message () from /lib64/libc.so.6
#3  0x0000003646ef7537 in __fortify_fail () from /lib64/libc.so.6
#4  0x0000003646ef5590 in __chk_fail () from /lib64/libc.so.6
#5  0x0000003646ef484b in __strncpy_chk () from /lib64/libc.so.6
#6  0x000000000040598e in strncpy (__len=<value optimized out>, 
    __src=<value optimized out>, __dest=<value optimized out>)
    at /usr/include/bits/string3.h:122
#7  export_subkey (__len=<value optimized out>, __src=<value optimized out>, 
    __dest=<value optimized out>) at ntreg.c:2629
#8  0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=135452, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2699
#9  0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=132444, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2699
#10 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4940, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2699
#11 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4540, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2699
#12 0x0000000000405bd2 in export_subkey (hdesc=0x60c010, nkofs=4132, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2699
#13 0x0000000000405dc0 in export_key (hdesc=0x60c010, nkofs=0, 
    name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "system.reg", 
    prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2733
#14 0x000000000040130a in main (argc=<value optimized out>, 
    argv=<value optimized out>) at reged.c:132

Version:
chntpw-080526 (chntpw-0.99.6-7.fc12).
Comment 1 Richard W.M. Jones 2009-06-08 07:12:28 EDT
Created attachment 346852 [details]
Patch to fix buffer overflow.

This patch fixes the first problem (the buffer overflow).

Unfortunately that just exposes a second problem which I'm
still looking into:

*** stack smashing detected ***: /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3646ef7537]
/lib64/libc.so.6(__fortify_fail+0x0)[0x3646ef7500]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405c98]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405b32]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x405d20]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x4012ba]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3646e1ea2d]
/home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged[0x400fe9]
======= Memory map: ========
00400000-0040c000 r-xp 00000000 fd:00 873976                             /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged
0060b000-0060c000 rw-p 0000b000 fd:00 873976                             /home/rjones/d/fedora/chntpw/devel/chntpw-080526/reged
0060c000-0062d000 rw-p 0060c000 00:00 0                                  [heap]
3646a00000-3646a1f000 r-xp 00000000 fd:00 806406                         /lib64/ld-2.10.1.so
3646c1e000-3646c1f000 r--p 0001e000 fd:00 806406                         /lib64/ld-2.10.1.so
3646c1f000-3646c20000 rw-p 0001f000 fd:00 806406                         /lib64/ld-2.10.1.so
3646e00000-3646f64000 r-xp 00000000 fd:00 806527                         /lib64/libc-2.10.1.so
3646f64000-3647164000 ---p 00164000 fd:00 806527                         /lib64/libc-2.10.1.so
3647164000-3647168000 r--p 00164000 fd:00 806527                         /lib64/libc-2.10.1.so
3647168000-3647169000 rw-p 00168000 fd:00 806527                         /lib64/libc-2.10.1.so
3647169000-364716e000 rw-p 3647169000 00:00 0 
3651400000-3651419000 r-xp 00000000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
3651419000-3651619000 ---p 00019000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
3651619000-365161a000 rw-p 00019000 fd:00 809466                         /lib64/libgcc_s-4.4.0-20090506.so.1
7ffff7cdb000-7ffff7fde000 rw-p 7ffff7cdb000 00:00 0 
7ffff7ffa000-7ffff7ffe000 rw-p 7ffff7ffa000 00:00 0 
7ffff7ffe000-7ffff7fff000 r-xp 7ffff7ffe000 00:00 0                      [vdso]
7ffffffea000-7ffffffff000 rw-p 7ffffffea000 00:00 0                      [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x0000003646e332f5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64 libgcc-4.4.0-4.x86_64
(gdb) bt
#0  0x0000003646e332f5 in raise () from /lib64/libc.so.6
#1  0x0000003646e34b20 in abort () from /lib64/libc.so.6
#2  0x0000003646e7005d in __libc_message () from /lib64/libc.so.6
#3  0x0000003646ef7537 in __fortify_fail () from /lib64/libc.so.6
#4  0x0000003646ef7500 in __stack_chk_fail () from /lib64/libc.so.6
#5  0x0000000000405c98 in export_subkey (hdesc=0x60c010, nkofs=6340624, 
    name=0x8 <Address 0x8 out of bounds>, prefix=<value optimized out>, 
    file=0x60c080) at ntreg.c:2698
#6  0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4940, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2694
#7  0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4540, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2694
#8  0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4132, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2694
#9  0x0000000000405d20 in export_key (hdesc=0x60c010, nkofs=0, 
    name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "/tmp/pp/system.reg", 
    prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2728
#10 0x00000000004012ba in main (argc=<value optimized out>, 
    argv=<value optimized out>) at reged.c:132
(gdb) frame 5
#5  0x0000000000405c98 in export_subkey (hdesc=0x60c010, nkofs=6340624, 
    name=0x8 <Address 0x8 out of bounds>, prefix=<value optimized out>, 
    file=0x60c080) at ntreg.c:2698
2698	}
(gdb) print *key
$1 = {id = 27502, type = 32, timestamp = "\264N\240\347s\213\311\1\0\0\0", 
  ofs_parent = 840, no_subkeys = 0, dummy1 = "\0\0\0", ofs_lf = -1, 
  dummy2 = "\377\377\377\377", no_values = 7, ofs_vallist = 1736, 
  ofs_sk = 536, ofs_classnam = -1, dummy3 = "\0\0\0\0\0\0\0\0\20\0\0\0\b\0\0", 
  dummy4 = 0, len_name = 3, len_classnam = 0, keyname = "A"}
Comment 2 Richard W.M. Jones 2009-06-08 09:41:00 EDT
Created attachment 346870 [details]
Fix stack smash in get_abs_path

This second patch fixes a bug in get_abs_path which caused
the stack to be smashed.  The problem in the original code is
this line:

strncpy(path+key->len_name+1,tmp,maxlen);

strncpy always copies maxlen bytes (maxlen is incorrect here)
which corrupts the stack.

I've replaced this with simplified code.

However it *still* fails further along.  The new error is:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000405ba0 in fprintf (__fmt=<value optimized out>, 
    __stream=<value optimized out>) at /usr/include/bits/stdio2.h:98
98	  return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt,
Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.x86_64
(gdb) bt
#0  0x0000000000405ba0 in fprintf (__fmt=<value optimized out>, 
    __stream=<value optimized out>) at /usr/include/bits/stdio2.h:98
#1  export_subkey (__fmt=<value optimized out>, __stream=<value optimized out>)
    at ntreg.c:2681
#2  0x0000000000405b32 in export_subkey (hdesc=0x60c010, nkofs=4132, 
    name=<value optimized out>, prefix=<value optimized out>, file=0x60c080)
    at ntreg.c:2695
#3  0x0000000000405d20 in export_key (hdesc=0x60c010, nkofs=0, 
    name=0x7fffffffe733 "\\", filename=0x7fffffffe735 "/tmp/pp/system.reg", 
    prefix=0x7fffffffe719 "HKEY_LOCAL_MACHINE\\SYSTEM") at ntreg.c:2729
#4  0x00000000004012ba in main (argc=<value optimized out>, 
    argv=<value optimized out>) at reged.c:132
Comment 3 Richard W.M. Jones 2009-06-08 09:53:48 EDT
Created attachment 346873 [details]
Fix case where get_val_* functions return errors.

This final patch fixes another problem.  Functions
get_val_data and get_val_len can return NULL and -1
respectively to indicate some sort of error.  The
code didn't check for this and tried to dereference
the resulting pointer and/or print an "infinite" length
buffer.

My fix checks for these conditions and stops it from
printing the key/value.  However I don't know and don't
really care to find out whether these "missing" keys
in Windows Registry entries have any other
significance.
Comment 4 Richard W.M. Jones 2009-06-08 09:55:00 EDT
The above means I can now successfully print the
Windows Registry HKEY_LOCAL_MACHINE\System tree
from my test box.  I will now send this bug report
to the upstream author.
Comment 5 Richard W.M. Jones 2009-06-08 10:07:42 EDT
Created attachment 346883 [details]
Proposed patch to chntpw.spec

Proposed patch to chntpw.spec to include the patches.

Do you mind if I commit this?  The patches have been
sent upstream.
Comment 6 Conrad Meyer 2009-06-08 10:41:52 EDT
No, I don't mind at all -- thank you very much for the work you've put into this!
Comment 7 Richard W.M. Jones 2009-06-08 10:59:20 EDT
I think on reflection I'm going to leave it a day while
I do further testing on my Windows VMs and see if I get
any response from upstream.
Comment 8 Conrad Meyer 2009-06-08 11:03:46 EDT
Works for me.
Comment 9 Fedora Update System 2009-06-09 07:38:24 EDT
chntpw-0.99.6-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/chntpw-0.99.6-8.fc11
Comment 10 Fedora Update System 2009-06-09 07:38:24 EDT
chntpw-0.99.6-5.fc10.1 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/chntpw-0.99.6-5.fc10.1
Comment 11 Bug Zapper 2009-06-09 13:13:15 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Fedora Update System 2009-06-15 21:49:59 EDT
chntpw-0.99.6-8.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update chntpw'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-6179
Comment 13 Fedora Update System 2009-06-15 22:41:29 EDT
chntpw-0.99.6-5.fc10.1 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update chntpw'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-6467
Comment 14 Fedora Update System 2009-07-03 15:35:20 EDT
chntpw-0.99.6-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-07-03 15:53:03 EDT
chntpw-0.99.6-5.fc10.1 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.