Package: spice / 0.12.5-1+deb8u5

Metadata

Package Version Patches format
spice 0.12.5-1+deb8u5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix tests warnings.patch | (download)

server/tests/basic_event_loop.c | 4 2 + 2 - 0 !
server/tests/test_display_base.c | 3 2 + 1 - 0 !
2 files changed, 4 insertions(+), 3 deletions(-)

 [patch (v2)] small cleanups to address compiler warnings
Message-ID: <20130211144958.GA6481@sergelap>
CVE 2015 3247.patch | (download)

server/red_worker.c | 46 32 + 14 - 0 !
1 file changed, 32 insertions(+), 14 deletions(-)

 [patch] avoid race conditions reading monitor configs from guest

For security reasons do not assume guest do not change structures it
pass to Qemu.
Guest could change count field while Qemu is copying QXLMonitorsConfig
structure leading to heap corruption.
This patch avoid it reading count only once.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0001 worker validate correctly surfaces.patch | (download)

server/red_worker.c | 31 17 + 14 - 0 !
1 file changed, 17 insertions(+), 14 deletions(-)

 [patch 01/19] worker: validate correctly surfaces

Do not just give warning and continue to use an invalid index into
an array.

Resolves: CVE-2015-5260

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0002 worker avoid double free or double create of surface.patch | (download)

server/red_worker.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 02/19] worker: avoid double free or double create of surfaces

A driver can overwrite surface state creating a surface with the same
id of a previous one.
Also can try to destroy surfaces that are not created.
Both requests cause invalid internal states that could lead to crashes
or memory corruptions.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0003 Define a constant to limit data from guest.patch | (download)

server/red_parse_qxl.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 [patch 03/19] define a constant to limit data from guest.

This limit will prevent guest trying to do nasty things and DoS to host.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0004 Fix some integer overflow causing large memory alloc.patch | (download)

server/red_parse_qxl.c | 15 11 + 4 - 0 !
1 file changed, 11 insertions(+), 4 deletions(-)

 [patch 04/19] fix some integer overflow causing large memory
 allocations

Prevent integer overflow when computing image sizes.
Image index computations are done using 32 bit so this can cause easily
security issues. MAX_DATA_CHUNK is larger than the virtual
card limit, so this is not going to cause change in behaviours.
Comparing size calculation results with MAX_DATA_CHUNK will allow us to
catch overflows.
Prevent guest from allocating large amount of memory.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0005 Check properly surface to be created.patch | (download)

server/red_parse_qxl.c | 35 34 + 1 - 0 !
1 file changed, 34 insertions(+), 1 deletion(-)

 [patch 05/19] check properly surface to be created

Check format is valid.
Check stride is at least the size of required bytes for a row.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0006 Fix buffer reading overflow.patch | (download)

server/red_parse_qxl.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 06/19] fix buffer reading overflow

Not security risk as just for read.
However, this could be used to attempt integer overflows in the
following lines.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0007 Prevent 32 bit integer overflow in bitmap_consistent.patch | (download)

server/red_parse_qxl.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 07/19] prevent 32 bit integer overflow in bitmap_consistent

The overflow may lead to buffer overflow as the row size computed from
width (bitmap->x) can be bigger than the size in bytes (bitmap->stride).
This can make spice-server accept the invalid sizes.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0008 Fix race condition on red_get_clip_rects.patch | (download)

server/red_parse_qxl.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 08/19] fix race condition on red_get_clip_rects

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0009 Fix race in red_get_image.patch | (download)

server/red_parse_qxl.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 [patch 09/19] fix race in red_get_image

Do not read multiple times data from guest as this could be changed
by other vcpu threads.
This causes races and security problems if these data are used for
buffer allocation or checks.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0010 Fix race condition in red_get_string.patch | (download)

server/red_parse_qxl.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 [patch 10/19] fix race condition in red_get_string

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0011 Fix integer overflow computing glyph_size in red_get.patch | (download)

server/red_parse_qxl.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 11/19] fix integer overflow computing glyph_size in
 red_get_string

If bpp is int the formula can lead to weird overflows. width and height
are uint16_t so the formula is:

  size_t = u16 * (u16 * int + const_int) / const_int;

so it became

  size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;

However the (int) u16 * (int) u16 can then became negative to overflow.
Under 64 bit architectures size_t is 64 and int usually 32 so converting
this negative 32 bit number to a unsigned 64 bit lead to a very big
number as the signed is extended and then converted to unsigned.
Using unsigned arithmetic prevent extending the sign.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0012 Fix race condition in red_get_data_chunks_ptr.patch | (download)

server/red_parse_qxl.c | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 [patch 12/19] fix race condition in red_get_data_chunks_ptr

Do not read multiple times data from guest as this can be changed by
other guest vcpus. This causes races and security problems if these
data are used for buffer allocation or checks.

Actually, the 'data' member can't change during read as it is just a
pointer to a fixed array contained in qxl. However, this change will
make it clear that there can be no race condition.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0013 Prevent memory leak if red_get_data_chunks_ptr fails.patch | (download)

server/red_parse_qxl.c | 31 20 + 11 - 0 !
1 file changed, 20 insertions(+), 11 deletions(-)

 [patch 13/19] prevent memory leak if red_get_data_chunks_ptr fails

Free linked list if client tries to do nasty things

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0014 Prevent DoS from guest trying to allocate too much d.patch | (download)

server/red_parse_qxl.c | 49 41 + 8 - 0 !
1 file changed, 41 insertions(+), 8 deletions(-)

 [patch 14/19] prevent dos from guest trying to allocate too much data
 on host for chunks

Limit number of chunks to a given amount to avoid guest trying to
allocate too much memory. Using circular or nested chunks lists
guest could try to allocate huge amounts of memory.
Considering the list can be infinite and guest can change data this
also prevents strange security attacks from guest.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0015 Fix some possible overflows in red_get_string for 32.patch | (download)

server/red_parse_qxl.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch 15/19] fix some possible overflows in red_get_string for 32
 bit

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0016 Make sure we can read QXLPathSeg structures.patch | (download)

server/red_parse_qxl.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 16/19] make sure we can read qxlpathseg structures

start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0017 Avoid race condition copying segments in red_get_pat.patch | (download)

server/red_parse_qxl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 17/19] avoid race condition copying segments in red_get_path

The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0018 Prevent data_size to be set independently from data.patch | (download)

server/red_parse_qxl.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 18/19] prevent data_size to be set independently from data

There was not check for data_size field so one could set data to
a small set of data and data_size much bigger than size of data
leading to buffer overflow.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0019 Prevent leak if size from red_get_data_chunks don t .patch | (download)

server/red_parse_qxl.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 19/19] prevent leak if size from red_get_data_chunks don't
 match in red_get_image

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2016 0749/0001 smartcard add a ref to item before adding to pipe.patch | (download)

server/smartcard.c | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 [patch] smartcard: add a ref to item before adding to pipe

There is an unref when the message is sent.

==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffffffc630 sp 0x7fffffffc620
READ of size 4 at 0x6008000144a8 thread T0
    #0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608
    #1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178
    #2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330
    #3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901
    #4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990
    #5 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189
    #6 0x5555559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220
    #7 0x555555b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76
    #8 0x555555b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91
    #9 0x555555b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242
    #10 0x555555b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289
    #11 0x55555593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41
    #12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477
    #13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629
    #14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675
    #15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341
    #16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648
    #17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763
    #18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307
    #19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325
    #20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566
    #21 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
    #22 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
    #23 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
    #24 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
    #25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
    #26 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8)
freed by thread T0 here:
    #0 0x7ffff4e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61
    #1 0x7fffee0ce2a1 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:610
    #2 0x7fffee0cdd58 in smartcard_channel_release_pipe_item /home/elmarco/src/spice/spice/server/smartcard.c:548
    #3 0x7fffee000668 in red_channel_client_release_item /home/elmarco/src/spice/spice/server/red-channel.c:602
    #4 0x7fffee0006ef in red_channel_client_release_sent_item /home/elmarco/src/spice/spice/server/red-channel.c:609
    #5 0x7fffee0007b5 in red_channel_peer_on_out_msg_done /home/elmarco/src/spice/spice/server/red-channel.c:620
    #6 0x7fffedffed7e in red_peer_handle_outgoing /home/elmarco/src/spice/spice/server/red-channel.c:385
    #7 0x7fffee0057bb in red_channel_client_send /home/elmarco/src/spice/spice/server/red-channel.c:1294
    #8 0x7fffee0076e6 in red_channel_client_begin_send_message /home/elmarco/src/spice/spice/server/red-channel.c:1605
    #9 0x7fffee0cdccd in smartcard_channel_send_item /home/elmarco/src/spice/spice/server/smartcard.c:541
    #10 0x7fffee000570 in red_channel_client_send_item /home/elmarco/src/spice/spice/server/red-channel.c:588
    #11 0x7fffee005bfb in red_channel_client_push /home/elmarco/src/spice/spice/server/red-channel.c:1347
    #12 0x7fffee007ef7 in red_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/red-channel.c:1673
    #13 0x7fffee0cde4d in smartcard_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/smartcard.c:571
    #14 0x7fffee0cb567 in smartcard_send_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:187
    #15 0x7fffedfcdba2 in spice_char_device_send_msg_to_clients /home/elmarco/src/spice/spice/server/char-device.c:282
    #16 0x7fffedfcdea4 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:329
    #17 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901
    #18 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990
    #19 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>

CVE 2016 0749/0002 smartcard allocate msg with the expected size.patch | (download)

server/smartcard.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] smartcard: allocate msg with the expected size

==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0
WRITE of size 4 at 0x60040009c098 thread T0
    #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334
    #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
    #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
    #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
    #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
    #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
    #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098)
allocated by thread T0 here:
    #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92
    #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123
    #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516
    #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557
    #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325
    #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>

CVE 2016 2150/0001 create a function to validate surface parameters.patch | (download)

server/red_parse_qxl.c | 50 32 + 18 - 0 !
server/red_parse_qxl.h | 5 5 + 0 - 0 !
2 files changed, 37 insertions(+), 18 deletions(-)

 [patch] create a function to validate surface parameters

Make possible to reuse it outside red-parse-qxl.c

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2016 2150/0002 improve primary surface parameter checks.patch | (download)

server/red_worker.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch] improve primary surface parameter checks

Primary surface, as additional surfaces, can be used to access
host memory from the guest using invalid parameters.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2016 9578 Prevent possible DoS attempts during protocol handsh.patch | (download)

server/reds.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 1/3] prevent possible dos attempts during protocol handshake

The limit for link message is specified using a 32 bit unsigned integer.
This could cause possible DoS due to excessive memory allocations and
some possible crashes.
For instance a value >= 2^31 causes a spice_assert to be triggered in
async_read_handler (reds-stream.c) due to an integer overflow at this
line:

   int n = async->end - async->now;

This could be easily triggered with a program like

  #!/usr/bin/env python

  import socket
  import time
  from struct import pack

  server = '127.0.0.1'
  port = 5900

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((server, port))
  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
  s.send(data)

  time.sleep(1)

without requiring any authentication (the same can be done
with TLS).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2016 9578 Prevent integer overflows in capability checks.patch | (download)

server/reds.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch 2/3] prevent integer overflows in capability checks

The limits for capabilities are specified using 32 bit unsigned integers.
This could cause possible integer overflows causing buffer overflows.
For instance the sum of num_common_caps and num_caps can be 0 avoiding
additional checks.
As the link message is now capped to 4096 and the capabilities are
contained in the link message limit the capabilities to 1024
(capabilities are expressed in number of uint32_t items).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2016 9577 main channel Prevent overflow reading messages from .patch | (download)

server/main_channel.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch 3/3] main-channel: prevent overflow reading messages from
 client

Caller is supposed the function return a buffer able to store
size bytes.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2017 7506 1.patch | (download)

server/reds.c | 25 23 + 2 - 0 !
1 file changed, 23 insertions(+), 2 deletions(-)

 [spice-server 1/3] reds: disconnect when receiving overly big
 ClientMonitorsConfig

Total message size received from the client was unlimited. There is
a 2kiB size check on individual agent messages, but the MonitorsConfig
message can be split in multiple chunks, and the size of the
non-chunked MonitorsConfig message was never checked. This could easily
lead to memory exhaustion on the host.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
[carnil: adjust context for backport to 0.12.5]

CVE 2017 7506 2.patch | (download)

server/reds.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [spice-server 2/3] reds: avoid integer overflows handling monitor
 configuration

Avoid VDAgentMessage::size integer overflows.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
[carnil: adjust context for backport to 0.12.5]

CVE 2017 7506 3.patch | (download)

server/reds.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [spice-server 3/3] reds: avoid buffer overflows handling monitor
 configuration

It was also possible for a malicious client to set
VDAgentMonitorsConfig::num_of_monitors to a number larger
than the actual size of VDAgentMOnitorsConfig::monitors.
This would lead to buffer overflows, which could allow the guest to
read part of the host memory. This might cause write overflows in the
host as well, but controlling the content of such buffers seems
complicated.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
[carnil: adjust context for backport to 0.12.5]