[Libguestfs] [libhivex] Undefined behavior when accessing invalid (too small) registry hives

Mahmoud Al-Qudsi mqudsi at neosmart.net
Thu Oct 30 02:26:30 UTC 2014 

On Oct 29, 2014, at 3:39 PM, Richard W.M. Jones <rjones at redhat.com> wrote:
> 
>> Or is it expected that certain sanity checks would be performed prior to
>> passing along any files to libhivex? What would those checks be?
> 
> No, hivex should definitely have those checks.
> 
> I'll have a proper look at this in the morning.
> 
> Thanks,
> 
> Rich.

Thanks, Rich.

As far as I can tell, the only sanity checks in the initial loading of a registry hive are the magic bits (“regf”), major_ver = 1, and the checksum match.

When calling hivex_open with a file under 4 bytes, you run into the out-of-bounds access when comparing against the magic bits; pass in a file 4 bytes long with “regf” correctly set, you’ll get an out-of-bounds access to major_ver; pass in a file truncated at 0x18 (major_ver, set to 1), and you’ll get through to the checksum routine, which will read out-of-bounds the first 128 bytes.

If you pass in a file truncated at 0x200, you’ll get past the checksum tests but accesses (if any) to other registry header members will be out of bounds. (I don’t think that’s the case, because that’s all unused unknown_guid stuff, though.)

After that, offsets are checked against hdr->size; from a brief glance I’m unsure but I think there might be an issue if the file is truncated after a page offset. "off < h->size” will return true, but accesses to page contents will be out-of-bounds. So I think that would need to be “off + sizeof(ntreg_hbin_page) < h->size”?

For example, truncating a registry file at h->rootoffs  and with a purposely-wrong hdr->offset = 0, I think you’ll get past "if (off >= h->endpages)” and you’ll be reading the page out-of-bounds while checking hbin magic.

I have to run, but I think there may be a few more instances of things like this.. I know these are only reads, but I have a suspicion there’s an out-of-bounds write somewhere along similar lines because I was getting segfaults in some untraced code when processing bulk, untrusted registry files, though I could be wrong.

Thanks for looking into this, I hope I haven’t led you on a wild goose chase.

Mahmoud

More information about the Libguestfs mailing list