[hivex/f20] Fix handling of invalid hive files.
Richard W.M. Jones
rjones at fedoraproject.org
Tue Nov 25 09:53:22 UTC 2014
commit ce257ff9d615977a23da1cef2e7e226d49bff8c4
Author: Richard W.M. Jones <rjones at redhat.com>
Date: Tue Nov 25 09:50:35 2014 +0000
Fix handling of invalid hive files.
...e-Refuse-to-open-files-8192-bytes-in-size.patch | 35 ++++++++++++++++++++
...k-that-pages-do-not-extend-beyond-the-end.patch | 32 ++++++++++++++++++
hivex.spec | 11 ++++++-
3 files changed, 77 insertions(+), 1 deletions(-)
---
diff --git a/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
new file mode 100644
index 0000000..ac5dbf6
--- /dev/null
+++ b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
@@ -0,0 +1,35 @@
+From 357f26fa64fd1d9ccac2331fe174a8ee9c607adb Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones at redhat.com>
+Date: Thu, 30 Oct 2014 13:50:39 +0000
+Subject: [PATCH 1/2] handle: Refuse to open files < 8192 bytes in size.
+
+These cannot be valid hives, since they don't contain a full header
+page and at least a single page of data (in other words they couldn't
+contain a root node).
+
+Thanks: Mahmoud Al-Qudsi
+---
+ lib/handle.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 62a8644..a3cbcf7 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -104,6 +104,13 @@ hivex_open (const char *filename, int flags)
+
+ h->size = statbuf.st_size;
+
++ if (h->size < 0x2000) {
++ SET_ERRNO (EINVAL,
++ "%s: file is too small to be a Windows NT Registry hive file",
++ filename);
++ goto error;
++ }
++
+ if (!h->writable) {
+ h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
+ if (h->addr == MAP_FAILED)
+--
+2.1.0
+
diff --git a/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
new file mode 100644
index 0000000..7977e16
--- /dev/null
+++ b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
@@ -0,0 +1,32 @@
+From 4bbdf555f88baeae0fa804a369a81a83908bd705 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones at redhat.com>
+Date: Thu, 30 Oct 2014 14:02:25 +0000
+Subject: [PATCH 2/2] handle: Check that pages do not extend beyond the end of
+ the file.
+
+Thanks: Mahmoud Al-Qudsi
+---
+ lib/handle.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index a3cbcf7..3a8f09b 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -247,6 +247,13 @@ hivex_open (const char *filename, int flags)
+ goto error;
+ }
+
++ if (off + page_size > h->size) {
++ SET_ERRNO (ENOTSUP,
++ "%s: page size %zu at 0x%zx extends beyond end of file, bad registry",
++ filename, page_size, off);
++ goto error;
++ }
++
+ /* Read the blocks in this page. */
+ size_t blkoff;
+ struct ntreg_hbin_block *block;
+--
+2.1.0
+
diff --git a/hivex.spec b/hivex.spec
index 92837ca..40d1811 100644
--- a/hivex.spec
+++ b/hivex.spec
@@ -7,7 +7,7 @@
Name: hivex
Version: 1.3.8
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Read and write Windows Registry binary hive files
License: LGPLv2
@@ -28,6 +28,10 @@ Patch4: 0001-lib-write-Add-some-debugging-messages.patch
Patch5: 0001-ppc-Fix-endianness-bug-which-caused-node_add_child-t.patch
Patch6: 0001-ppc-iconv-Source-is-UTF-16LE-not-just-UTF-16.patch
+# Fix handling of invalid hive files.
+Patch7: 0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
+Patch8: 0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
+
BuildRequires: perl
BuildRequires: perl-Test-Simple
BuildRequires: perl-Test-Pod
@@ -171,6 +175,8 @@ ruby-%{name} contains Ruby bindings for %{name}.
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
autoreconf -i
@@ -279,6 +285,9 @@ rm $RPM_BUILD_ROOT%{python_sitearch}/libhivexmod.la
%changelog
+* Tue Nov 25 2013 Richard W.M. Jones <rjones at redhat.com> - 1.3.8-4
+- Fix handling of invalid hive files.
+
* Tue Sep 10 2013 Richard W.M. Jones <rjones at redhat.com> - 1.3.8-3
- Include various upstream patches to fix endianness problems on ppc64.
More information about the scm-commits
mailing list