[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] [libhivex] Undefined behavior when accessing invalid (too small) registry hives



Hello all,

I know that one of the original design goals of libhivex was to be resilient to corrupt, invalid, or malicious registry hives. I've encountered some undefined behavior in libhivex when attempting to open registry files that are too small. I'm not sure if this is a known issue per-se or not, so I figured I'd ask here on the mailing list before I jumped in and started adding out-of-bounds checks everywhere. 

The simplest test case is when attempting to open a zero-byte registry file, handle.c will mmap a zero-byte file and then go out of bounds while comparing against the registry header ("regf"). I imagine even if you pass in a 4-byte file, the header checksum calculation will loop over 0x7F bytes, so you'd probably encounter another error there. I guess I'm just not sure where the ideal location(s) to place range-checking would be; is there anything smarter than plastering checks at every read/write to the registry file?

Or is it expected that certain sanity checks would be performed prior to passing along any files to libhivex? What would those checks be?

Thank you,

Mahmoud Al-Qudsi
NeoSmart Technologies


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]