From 9dc56dcb70a78ed37b11923a91de30a5270e670e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 10 Aug 2021 08:03:11 -0400
Subject: [PATCH] import hivex-1.3.18-21.module+el8.4.0+10770+19c037f9

---
 ...nds-check-for-block-exceeding-page-l.patch | 75 +++++++++++++++++++
 SPECS/hivex.spec                              |  9 ++-
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch

diff --git a/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch b/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
new file mode 100644
index 0000000..13a8605
--- /dev/null
+++ b/SOURCES/0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
@@ -0,0 +1,75 @@
+From 61f4928dcc31b91aaf3bcbcf2898f8f09586a213 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Thu, 15 Apr 2021 15:50:13 +0100
+Subject: [PATCH] lib/handle.c: Bounds check for block exceeding page length
+ (CVE-2021-3504)
+
+Hives are encoded as fixed-sized pages containing smaller variable-
+length blocks:
+
+  +-------------------+-------------------+-------------------+--
+  | header            |[ blk ][blk][ blk ]|[blk][blk][blk]    |
+  +-------------------+-------------------+-------------------+--
+
+Blocks should not straddle a page boundary.  However because blocks
+contain a 32 bit length field it is possible to construct an invalid
+hive where the last block in a page overlaps either the next page or
+the end of the file:
+
+  +-------------------+-------------------+
+  | header            |[ blk ][blk][ blk ..... ]
+  +-------------------+-------------------+
+
+Hivex lacked a bounds check and would process the registry.  Because
+the rest of the code assumes this situation can never happen it was
+possible to have a block containing some field (eg. a registry key
+name) which would extend beyond the end of the file.  Hivex mmaps or
+mallocs the file, causing hivex to read memory beyond the end of the
+mapped region, resulting in reading other memory structures or a
+crash.  (Writing beyond the end of the mapped region seems to be
+impossible because we always allocate a new page before writing.)
+
+This commit adds a check which rejects the malformed registry on
+hivex_open.
+
+Credit: Jeremy Galindo, Sr Security Engineer, Datto.com
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+Fixes: CVE-2021-3504
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1949687
+---
+ lib/handle.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 88b1563f..2e4231a5 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -353,8 +353,8 @@ hivex_open (const char *filename, int flags)
+ #pragma GCC diagnostic pop
+         if (is_root || !h->unsafe) {
+           SET_ERRNO (ENOTSUP,
+-                     "%s, the block at 0x%zx has invalid size %" PRIu32
+-                     ", bad registry",
++                     "%s, the block at 0x%zx size %" PRIu32
++                     " <= 4 or not a multiple of 4, bad registry",
+                      filename, blkoff, le32toh (block->seg_len));
+           goto error;
+         } else {
+@@ -365,6 +365,14 @@ hivex_open (const char *filename, int flags)
+         }
+       }
+ 
++      if (blkoff + seg_len > off + page_size) {
++        SET_ERRNO (ENOTSUP,
++                   "%s, the block at 0x%zx size %" PRIu32
++                   " extends beyond the current page, bad registry",
++                   filename, blkoff, le32toh (block->seg_len));
++        goto error;
++      }
++
+       if (h->msglvl >= 2) {
+         unsigned char *id = (unsigned char *) block->id;
+         int id0 = id[0], id1 = id[1];
+-- 
+2.29.2
+
diff --git a/SPECS/hivex.spec b/SPECS/hivex.spec
index 7006060..abe5338 100644
--- a/SPECS/hivex.spec
+++ b/SPECS/hivex.spec
@@ -10,7 +10,7 @@
 
 Name:           hivex
 Version:        1.3.18
-Release:        20%{?dist}
+Release:        21%{?dist}
 Summary:        Read and write Windows Registry binary hive files
 
 License:        LGPLv2
@@ -30,6 +30,9 @@ Source2:       libguestfs.keyring
 Patch0001:      0001-Win-Hivex-Regedit-Accept-CRLF-line-endings.patch
 Patch0002:      0002-Win-Hivex-Regedit-Ignore-comments.patch
 
+# Bounds check for block exceeding page length (CVE-2021-3504).
+Patch0003:      0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch
+
 BuildRequires:  perl-interpreter
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
@@ -274,6 +277,10 @@ fi
 
 
 %changelog
+* Sat Apr 17 2021 Richard W.M. Jones <rjones@redhat.com> - 1.3.18-21
+- Bounds check for block exceeding page length (CVE-2021-3504)
+  resolves: rhbz#1950501
+
 * Mon Apr 27 2020 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.3.18
 - Resolves: bz#1810193
   (Upgrade components in virt:rhel module:stream for RHEL-8.3 release)