diff options
Diffstat (limited to 'main/spice/CVE-2015-3247.patch')
-rw-r--r-- | main/spice/CVE-2015-3247.patch | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch new file mode 100644 index 0000000000..47ee3c4f91 --- /dev/null +++ b/main/spice/CVE-2015-3247.patch @@ -0,0 +1,116 @@ +From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 9 Jun 2015 08:50:46 +0100 +Subject: Avoid race conditions reading monitor configs from guest + +For security reasons do not assume guest do not change structures it +pass to Qemu. +Guest could change count field while Qemu is copying QXLMonitorsConfig +structure leading to heap corruption. +This patch avoid it reading count only once. + +This patch solves CVE-2015-3247. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Acked-by: Christophe Fergeau <cfergeau@redhat.com> + +diff --git a/server/red_worker.c b/server/red_worker.c +index 2f2d5a9..e2feb23 100644 +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc) + + static void worker_update_monitors_config(RedWorker *worker, + QXLMonitorsConfig *dev_monitors_config, +- unsigned int max_monitors) ++ uint16_t count, uint16_t max_allowed) + { + int heads_size; + MonitorsConfig *monitors_config; + int i; +- unsigned int count = MIN(dev_monitors_config->count, max_monitors); + + monitors_config_decref(worker->monitors_config); + + spice_debug("monitors config %d(%d)", +- dev_monitors_config->count, +- dev_monitors_config->max_allowed); +- for (i = 0; i < dev_monitors_config->count; i++) { ++ count, ++ max_allowed); ++ for (i = 0; i < count; i++) { + spice_debug("+%d+%d %dx%d", + dev_monitors_config->heads[i].x, + dev_monitors_config->heads[i].y, +@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker, + monitors_config->refs = 1; + monitors_config->worker = worker; + monitors_config->count = count; +- monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors); ++ monitors_config->max_allowed = max_allowed; + memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); + } + +@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload) + red_migrate_display(worker, rcc); + } + ++static inline uint32_t qxl_monitors_config_size(uint32_t heads) ++{ ++ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; ++} ++ + static void handle_dev_monitors_config_async(void *opaque, void *payload) + { + RedWorkerMessageMonitorsConfigAsync *msg = payload; + RedWorker *worker = opaque; +- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); + int error; ++ uint16_t count, max_allowed; + QXLMonitorsConfig *dev_monitors_config = + (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, +- min_size, msg->group_id, &error); ++ qxl_monitors_config_size(1), ++ msg->group_id, &error); + + if (error) { + /* TODO: raise guest bug (requires added QXL interface) */ + return; + } + worker->driver_cap_monitors_config = 1; +- if (dev_monitors_config->count == 0) { ++ count = dev_monitors_config->count; ++ max_allowed = dev_monitors_config->max_allowed; ++ if (count == 0) { + spice_warning("ignoring an empty monitors config message from driver"); + return; + } +- if (dev_monitors_config->count > dev_monitors_config->max_allowed) { ++ if (count > max_allowed) { + spice_warning("ignoring malformed monitors_config from driver, " + "count > max_allowed %d > %d", +- dev_monitors_config->count, +- dev_monitors_config->max_allowed); ++ count, ++ max_allowed); ++ return; ++ } ++ /* get pointer again to check virtual size */ ++ dev_monitors_config = ++ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, ++ qxl_monitors_config_size(count), ++ msg->group_id, &error); ++ if (error) { ++ /* TODO: raise guest bug (requires added QXL interface) */ + return; + } +- worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors); ++ worker_update_monitors_config(worker, dev_monitors_config, ++ MIN(count, msg->max_monitors), ++ MIN(max_allowed, msg->max_monitors)); + red_worker_push_monitors_config(worker); + } + +-- +cgit v0.10.2 + |