Package: spice / 0.12.8-2.1+deb9u3

Fix-flexible-array-buffer-overflow.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 18 May 2018 11:41:57 +0100
Subject: Fix flexible array buffer overflow
Origin: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873
Bug-Debian: https://bugs.debian.org/906315

This is kind of a DoS, possibly flexible array in the protocol
causes the network size check to be ignored due to integer overflows.

The size of flexible array is computed as (message_end - position),
then this size is added to the number of bytes before the array and
this number is used to check if we overflow initial message.

An example is:

    message {
        uint32 dummy[2];
        uint8 data[] @end;
    } LenMessage;

which generated this (simplified remove useless code) code:

    { /* data */
        data__nelements = message_end - (start + 8);

        data__nw_size = data__nelements;
    }

    nw_size = 8 + data__nw_size;

    /* Check if message fits in reported side */
    if (nw_size > (uintptr_t) (message_end - start)) {
        return NULL;
    }

Following code:
- data__nelements == message_end - (start + 8)
- data__nw_size == data__nelements == message_end - (start + 8)
- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
  8 + message_end - start - 8 == message_end -start
- the check for overflow is (nw_size > (message_end - start)) but
  nw_size == message_end - start so the check is doing
  ((message_end - start) > (message_end - start)) which is always false.

If message_end - start < 8 then data__nelements (number of element
on the array above) computation generate an integer underflow that
later create a buffer overflow.

Add a check to make sure that the array starts before the message ends
to avoid the overflow.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
[Salvatore Bonaccorso: Drop generated diff from commit messages causing
 problem when applying with quilt. Remove addition to testsuite]
---

--- a/spice-common/python_modules/demarshal.py
+++ b/spice-common/python_modules/demarshal.py
@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co
         writer.assign(nelements, array.size)
     elif array.is_remaining_length():
         if element_type.is_fixed_nw_size():
+            writer.error_check("%s > message_end" % item.get_position())
             if element_type.get_fixed_nw_size() == 1:
                 writer.assign(nelements, "message_end - %s" % item.get_position())
             else: