community/hivex: fixes for CVE-2021-3504

84e15a5f · Francesco Colista · dec74dbc · 84e15a5f · 84e15a5f
Commit 84e15a5f authored 3 years ago by Francesco Colista
--- a/community/hivex/APKBUILD
+++ b/community/hivex/APKBUILD
@@ -2,15 +2,20 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=hivex
 pkgver=1.3.19
-pkgrel=0
-pkgdesc="System for extracting the contents of Windows Registry."
-url="http://libguestfs.org"
+pkgrel=1
+pkgdesc="System for extracting the contents of Windows Registry"
+url="https://libguestfs.org/"
 arch="all"
 license="LGPL-2.1"
 makedepends="libxml2-dev readline-dev perl-dev"
 checkdepends="bash"
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://libguestfs.org/download/hivex/hivex-$pkgver.tar.gz"
+source="https://libguestfs.org/download/hivex/hivex-$pkgver.tar.gz
+CVE-2021-3504.patch"
+
+# secfixes:
+#   1.3.19-r1:
+#     - CVE-2021-3504

 build() {
 	./configure \
@@ -34,4 +39,7 @@ package() {
 	make DESTDIR="$pkgdir" install
 }

-sha512sums="dc271349c6efa7b55ba144617e57fe4e7ce855ec1f4ef9f84ee86eeefd3a34cb6b26078786e1568f3008b922a31b758ff2c2734e599b67e0e210aa72e9f41177  hivex-1.3.19.tar.gz"
+sha512sums="
+dc271349c6efa7b55ba144617e57fe4e7ce855ec1f4ef9f84ee86eeefd3a34cb6b26078786e1568f3008b922a31b758ff2c2734e599b67e0e210aa72e9f41177  hivex-1.3.19.tar.gz
+fed79bdff539596275ef1081a2e071898b35b19494aac04d473ded3328d570d40ea6c720f0660c7ebd60625efa3f559e9f21bde600fb2eeca9354a90dffc2525  CVE-2021-3504.patch
+"
--- a/community/hivex/CVE-2021-3504.patch
+++ b/community/hivex/CVE-2021-3504.patch
+From 8f1935733b10d974a1a4176d38dd151ed98cf381 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+  +-------------------+-------------------+-------------------+--
+  | header            |[ blk ][blk][ blk ]|[blk][blk][blk]    |
+  +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary.  However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+  +-------------------+-------------------+
+  | header            |[ blk ][blk][ blk ..... ]
+  +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry.  Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file.  Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash.  (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563..2e4231a 100644
+--- a/lib/handle.c
+++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+         if (is_root || !h->unsafe) {
+           SET_ERRNO (ENOTSUP,
+-                     "%s, the block at 0x%zx has invalid size %" PRIu32
+-                     ", bad registry",
+                     "%s, the block at 0x%zx size %" PRIu32
+                     " <= 4 or not a multiple of 4, bad registry",
+                      filename, blkoff, le32toh (block->seg_len));
+           goto error;
+         } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+         }
+       }
+ 
+      if (blkoff + seg_len > off + page_size) {
+        SET_ERRNO (ENOTSUP,
+                   "%s, the block at 0x%zx size %" PRIu32
+                   " extends beyond the current page, bad registry",
+                   filename, blkoff, le32toh (block->seg_len));
+        goto error;
+      }
+
+       if (h->msglvl >= 2) {
+         unsigned char *id = (unsigned char *) block->id;
+         int id0 = id[0], id1 = id[1];