From 5d18fc78b6bc5b189064144156d0e95bf13de8de Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 28 Sep 2023 12:46:23 -0400
Subject: [PATCH] * Thu Sep 28 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-40

- kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch [bz#2218488]
- Resolves: bz#2218488
  (CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8])
---
 ...-fix-infinite-loop-in-inflate_buffer.patch | 76 +++++++++++++++++++
 qemu-kvm.spec                                 |  9 ++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch

diff --git a/kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch b/kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
new file mode 100644
index 0000000..08ecc15
--- /dev/null
+++ b/kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
@@ -0,0 +1,76 @@
+From efbf51a42b51665fd70ea49b9c583a208cfd2deb Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 4 Jul 2023 10:41:22 +0200
+Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
+ (CVE-2023-3255)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 316: ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
+RH-Bugzilla: 2218488
+RH-Acked-by: Mauro Matteo Cascella <None>
+RH-Commit: [1/1] f3cb05fb6e40261da5fe10f003fa3e57920469bb (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2218488
+CVE: CVE-2023-3255
+Upstream: Merged
+
+commit d921fea338c1059a27ce7b75309d7a2e485f710b
+Author: Mauro Matteo Cascella <mcascell@redhat.com>
+Date:   Tue Jul 4 10:41:22 2023 +0200
+
+    ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
+
+    A wrong exit condition may lead to an infinite loop when inflating a
+    valid zlib buffer containing some extra bytes in the `inflate_buffer`
+    function. The bug only occurs post-authentication. Return the buffer
+    immediately if the end of the compressed data has been reached
+    (Z_STREAM_END).
+
+    Fixes: CVE-2023-3255
+    Fixes: 0bf41cab ("ui/vnc: clipboard support")
+    Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
+    Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+    Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+    Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+    Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ ui/vnc-clipboard.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index 67284b556c..c84599cfdb 100644
+--- a/ui/vnc-clipboard.c
++++ b/ui/vnc-clipboard.c
+@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
+         ret = inflate(&stream, Z_FINISH);
+         switch (ret) {
+         case Z_OK:
+-        case Z_STREAM_END:
+             break;
++        case Z_STREAM_END:
++            *size = stream.total_out;
++            inflateEnd(&stream);
++            return out;
+         case Z_BUF_ERROR:
+             out_len <<= 1;
+             if (out_len > (1 << 20)) {
+@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
+         }
+     }
+ 
+-    *size = stream.total_out;
+-    inflateEnd(&stream);
+-
+-    return out;
+-
+ err_end:
+     inflateEnd(&stream);
+ err:
+-- 
+2.41.0
+
diff --git a/qemu-kvm.spec b/qemu-kvm.spec
index d5f12be..8948a38 100644
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 39%{?rcrel}%{?dist}
+Release: 40%{?rcrel}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -781,6 +781,8 @@ Patch309: kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch
 Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
 # For bz#2215786 - CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8]
 Patch311: kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
+# For bz#2218488 - CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8]
+Patch312: kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -1950,6 +1952,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 
 
 %changelog
+* Thu Sep 28 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-40
+- kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch [bz#2218488]
+- Resolves: bz#2218488
+  (CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8])
+
 * Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
 - kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
 - Resolves: bz#2215786