[Libguestfs] [libhivex] Undefined behavior when accessing invalid (too small) registry hives

Richard W.M. Jones rjones at redhat.com
Wed Oct 29 20:39:55 UTC 2014

On Wed, Oct 29, 2014 at 10:43:59AM -0500, Mahmoud Al-Qudsi wrote:
> Hello all,
> I know that one of the original design goals of libhivex was to be
> resilient to corrupt, invalid, or malicious registry hives. I've
> encountered some undefined behavior in libhivex when attempting to open
> registry files that are too small. I'm not sure if this is a known issue
> per-se or not, so I figured I'd ask here on the mailing list before I
> jumped in and started adding out-of-bounds checks everywhere.
> The simplest test case is when attempting to open a zero-byte registry
> file, handle.c will mmap a zero-byte file and then go out of bounds while
> comparing against the registry header ("regf"). I imagine even if you pass
> in a 4-byte file, the header checksum calculation will loop over 0x7F
> bytes, so you'd probably encounter another error there. I guess I'm just
> not sure where the ideal location(s) to place range-checking would be; is
> there anything smarter than plastering checks at every read/write to the
> registry file?

Oh dear, this is embarrassing.  It's a security bug (DoS) at least.

Linux seems to refuse the mmap when length == 0 and return EINVAL, but
on other OSes or if the length < 4 we would be reading outside the array.

> Or is it expected that certain sanity checks would be performed prior to
> passing along any files to libhivex? What would those checks be?

No, hivex should definitely have those checks.

I'll have a proper look at this in the morning.



Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.

More information about the Libguestfs mailing list