[Libguestfs] [PATCH 2/2] lib: allow to walk registry with corrupted blocks

Dawid Zamirski dzamirski at datto.com
Tue Feb 14 16:02:19 UTC 2017 

On Tue, 2017-02-14 at 14:30 +0000, Richard W.M. Jones wrote:
> On Wed, Feb 08, 2017 at 04:36:31PM -0500, Dawid Zamirski wrote:
> > There are some corrupted registry files that have invalid hbin
> > cells
> > but are still readable. This patch makes the following changes:
> > 
> > * hivex_open - do not abort with complete failure if we run across
> > a
> >   block with invalid size (unless it's the root block). Instead
> > just
> >   log the event, and move on. This will allow open hives that have
> >   apparent invalid blocks but the ones of potential interest might
> > be
> >   perfectly accessible.
> > * _hivex_get_children - similiarly, if the's invalid subkey, just
> > skip
> >   it instead of failing so one can continue to browse other valid
> >   subkeys.
> > 
> > The above is similar to the behavior to Windows regedit where one
> > can
> > load such corrupted hives with e.g. "reg load HKU\Corrupted" and
> > browse/change it despite some keys might be missing.
> > ---
> >  lib/handle.c | 13 +++++++++----
> >  lib/node.c   | 11 +++++------
> >  2 files changed, 14 insertions(+), 10 deletions(-)
> > 
> > diff --git a/lib/handle.c b/lib/handle.c
> > index 1e122ea..9be3b5f 100644
> > --- a/lib/handle.c
> > +++ b/lib/handle.c
> > @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags)
> >        int used;
> >        seg_len = block_len (h, blkoff, &used);
> >        if (seg_len <= 4 || (seg_len & 3) != 0) {
> > -        SET_ERRNO (ENOTSUP,
> > -                   "%s: block size %" PRIi32 " at 0x%zx, bad
> > registry",
> > -                   filename, le32toh (block->seg_len), blkoff);
> > -        goto error;
> > +        if (is_root) {
> > +          bad_root_block = 1;

Also I don't like this part where I think it should just exit with
relevant SET_ERRNO message instead of depending on this variable being
checked later in the code.
 
> > +        } else {
> > +          DEBUG(2,
> 
> As before, space before parens in function and macro calls.
> 
> > @@ -408,7 +407,7 @@ _get_children (hive_h *h, hive_node_h blkoff,
> >        hive_node_h subkey = le32toh (lf->keys[i].offset);
> >        subkey += 0x1000;
> >        if (check_child_is_nk_block (h, subkey, flags) == -1)
> > -        return -1;
> > +        continue;
> 
> I think this deserves a debug message.
> 
> There is also a further call to check_child_is_nk_block in
> this function, but if that fails it still returns.  Why is
> that case different?
> 
> Rich.
> 
> >        if (_hivex_add_to_offset_list (children, subkey) == -1)
> >          return -1;
> >      }
> > -- 
> > 2.9.3
> > 
> > _______________________________________________
> > Libguestfs mailing list
> > Libguestfs at redhat.com
> > https://www.redhat.com/mailman/listinfo/libguestfs
> 
>

More information about the Libguestfs mailing list