diff options
author | Daniel Sabogal <dsabogalcc@gmail.com> | 2016-08-17 00:07:49 -0400 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-26 17:27:39 +0000 |
commit | a56e4e3c1e2f4297d2771d28dac70e5afc81839e (patch) | |
tree | 213c0d6ca0182bf5dc26ffc63d8f9b4ddddfcbca /main/spice/CVE-2015-3247.patch | |
parent | 5bb854b78247cfca2f9c179b2cce5f9d8a8f57eb (diff) | |
download | aports-a56e4e3c1e2f4297d2771d28dac70e5afc81839e.tar.bz2 aports-a56e4e3c1e2f4297d2771d28dac70e5afc81839e.tar.xz |
main/spice: security upgrade to 0.12.8
CVE-2016-0749
CVE-2016-2150
Removed unused patch (CVE-2015-3247 fixed in 0.12.6)
https://cgit.freedesktop.org/spice/spice/tree/NEWS?h=0.12
Diffstat (limited to 'main/spice/CVE-2015-3247.patch')
-rw-r--r-- | main/spice/CVE-2015-3247.patch | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch deleted file mode 100644 index 47ee3c4f9..000000000 --- a/main/spice/CVE-2015-3247.patch +++ /dev/null @@ -1,116 +0,0 @@ -From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 9 Jun 2015 08:50:46 +0100 -Subject: Avoid race conditions reading monitor configs from guest - -For security reasons do not assume guest do not change structures it -pass to Qemu. -Guest could change count field while Qemu is copying QXLMonitorsConfig -structure leading to heap corruption. -This patch avoid it reading count only once. - -This patch solves CVE-2015-3247. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> -Acked-by: Christophe Fergeau <cfergeau@redhat.com> - -diff --git a/server/red_worker.c b/server/red_worker.c -index 2f2d5a9..e2feb23 100644 ---- a/server/red_worker.c -+++ b/server/red_worker.c -@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc) - - static void worker_update_monitors_config(RedWorker *worker, - QXLMonitorsConfig *dev_monitors_config, -- unsigned int max_monitors) -+ uint16_t count, uint16_t max_allowed) - { - int heads_size; - MonitorsConfig *monitors_config; - int i; -- unsigned int count = MIN(dev_monitors_config->count, max_monitors); - - monitors_config_decref(worker->monitors_config); - - spice_debug("monitors config %d(%d)", -- dev_monitors_config->count, -- dev_monitors_config->max_allowed); -- for (i = 0; i < dev_monitors_config->count; i++) { -+ count, -+ max_allowed); -+ for (i = 0; i < count; i++) { - spice_debug("+%d+%d %dx%d", - dev_monitors_config->heads[i].x, - dev_monitors_config->heads[i].y, -@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker, - monitors_config->refs = 1; - monitors_config->worker = worker; - monitors_config->count = count; -- monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors); -+ monitors_config->max_allowed = max_allowed; - memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); - } - -@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload) - red_migrate_display(worker, rcc); - } - -+static inline uint32_t qxl_monitors_config_size(uint32_t heads) -+{ -+ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; -+} -+ - static void handle_dev_monitors_config_async(void *opaque, void *payload) - { - RedWorkerMessageMonitorsConfigAsync *msg = payload; - RedWorker *worker = opaque; -- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); - int error; -+ uint16_t count, max_allowed; - QXLMonitorsConfig *dev_monitors_config = - (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, -- min_size, msg->group_id, &error); -+ qxl_monitors_config_size(1), -+ msg->group_id, &error); - - if (error) { - /* TODO: raise guest bug (requires added QXL interface) */ - return; - } - worker->driver_cap_monitors_config = 1; -- if (dev_monitors_config->count == 0) { -+ count = dev_monitors_config->count; -+ max_allowed = dev_monitors_config->max_allowed; -+ if (count == 0) { - spice_warning("ignoring an empty monitors config message from driver"); - return; - } -- if (dev_monitors_config->count > dev_monitors_config->max_allowed) { -+ if (count > max_allowed) { - spice_warning("ignoring malformed monitors_config from driver, " - "count > max_allowed %d > %d", -- dev_monitors_config->count, -- dev_monitors_config->max_allowed); -+ count, -+ max_allowed); -+ return; -+ } -+ /* get pointer again to check virtual size */ -+ dev_monitors_config = -+ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, -+ qxl_monitors_config_size(count), -+ msg->group_id, &error); -+ if (error) { -+ /* TODO: raise guest bug (requires added QXL interface) */ - return; - } -- worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors); -+ worker_update_monitors_config(worker, dev_monitors_config, -+ MIN(count, msg->max_monitors), -+ MIN(max_allowed, msg->max_monitors)); - red_worker_push_monitors_config(worker); - } - --- -cgit v0.10.2 - |