[Libguestfs] [libhivex] Undefined behavior when accessing invalid (too small) registry hives

[Mahmoud Al-Qudsi]

Hello all,

I know that one of the original design goals of libhivex was to be
resilient to corrupt, invalid, or malicious registry hives. I've
encountered some undefined behavior in libhivex when attempting to open
registry files that are too small. I'm not sure if this is a known issue
per-se or not, so I figured I'd ask here on the mailing list before I
jumped in and started adding out-of-bounds checks everywhere.

The simplest test case is when attempting to open a zero-byte registry
file, handle.c will mmap a zero-byte file and then go out of bounds while
comparing against the registry header ("regf"). I imagine even if you pass
in a 4-byte file, the header checksum calculation will loop over 0x7F
bytes, so you'd probably encounter another error there. I guess I'm just
not sure where the ideal location(s) to place range-checking would be; is
there anything smarter than plastering checks at every read/write to the
registry file?

Or is it expected that certain sanity checks would be performed prior to
passing along any files to libhivex? What would those checks be?

Thank you,

Mahmoud Al-Qudsi
NeoSmart Technologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20141029/f280c802/attachment.htm>