spice/0002-Prevent-integer-overflows-in-capability-checks.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:40:10 +0000
Subject: [spice-server] Prevent integer overflows in capability checks

The limits for capabilities are specified using 32 bit unsigned integers.
This could cause possible integer overflows causing buffer overflows.
For instance the sum of num_common_caps and num_caps can be 0 avoiding
additional checks.
As the link message is now capped to 4096 and the capabilities are
contained in the link message limit the capabilities to 1024
(capabilities are expressed in number of uint32_t items).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/reds.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/reds.c b/server/reds.c
index e7ebc43..953a95a 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2186,6 +2186,14 @@ static void reds_handle_read_link_done(void *opaque)
     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
 
+    /* Prevent DoS. Currently we defined only 13 capabilities,
+     * I expect 1024 to be valid for quite a lot time */
+    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
+        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+        reds_link_free(link);
+        return;
+    }
+
     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
Sanitize patch format Regenerate the patches using --no-signature --zero-commit --no-numbered as it makes it easier to regenerate exactly the same patches on a different setup. 2017-02-06 17:47:30 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578 2017-02-06 17:44:11 +00:00			`From: Frediano Ziglio <fziglio@redhat.com>`
			`Date: Tue, 13 Dec 2016 14:40:10 +0000`
Sanitize patch format Regenerate the patches using --no-signature --zero-commit --no-numbered as it makes it easier to regenerate exactly the same patches on a different setup. 2017-02-06 17:47:30 +00:00			`Subject: [spice-server] Prevent integer overflows in capability checks`
Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578 2017-02-06 17:44:11 +00:00
			`The limits for capabilities are specified using 32 bit unsigned integers.`
			`This could cause possible integer overflows causing buffer overflows.`
			`For instance the sum of num_common_caps and num_caps can be 0 avoiding`
			`additional checks.`
			`As the link message is now capped to 4096 and the capabilities are`
			`contained in the link message limit the capabilities to 1024`
			`(capabilities are expressed in number of uint32_t items).`

			`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
			`Acked-by: Christophe Fergeau <cfergeau@redhat.com>`
			`---`
			`server/reds.c \| 8 ++++++++`
			`1 file changed, 8 insertions(+)`

			`diff --git a/server/reds.c b/server/reds.c`
			`index e7ebc43..953a95a 100644`
			`--- a/server/reds.c`
			`+++ b/server/reds.c`
			`@@ -2186,6 +2186,14 @@ static void reds_handle_read_link_done(void *opaque)`
			`link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);`
			`link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);`

			`+ /* Prevent DoS. Currently we defined only 13 capabilities,`
			`+ * I expect 1024 to be valid for quite a lot time */`
			`+ if (link_mess->num_channel_caps > 1024 \|\| link_mess->num_common_caps > 1024) {`
			`+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);`
			`+ reds_link_free(link);`
			`+ return;`
			`+ }`
			`+`
			`num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;`
			`caps = (uint32_t )((uint8_t )link_mess + link_mess->caps_offset);`