From 28d8705203e4e5ed4348b8d2eaefd3692967bae2 Mon Sep 17 00:00:00 2001 From: Victor Toso Date: Thu, 27 Feb 2020 13:50:01 +0100 Subject: [PATCH] Update to 0.14.3 --- ...by-one-error-in-group-slot-boundary-.patch | 98 ------------------- sources | 4 +- spice.spec | 9 +- 3 files changed, 8 insertions(+), 103 deletions(-) delete mode 100644 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch diff --git a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch deleted file mode 100644 index 1f69086..0000000 --- a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Christophe Fergeau -Date: Thu, 29 Nov 2018 14:18:39 +0100 -Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check - -RedMemSlotInfo keeps an array of groups, and each group contains an -array of slots. Unfortunately, these checks are off by 1, they check -that the index is greater or equal to the number of elements in the -array, while these arrays are 0 based. The check should only check for -strictly greater than the number of elements. - -For the group array, this is not a big issue, as these memslot groups -are created by spice-server users (eg QEMU), and the group ids used to -index that array are also generated by the spice-server user, so it -should not be possible for the guest to set them to arbitrary values. - -The slot id is more problematic, as it's calculated from a QXLPHYSICAL -address, and such addresses are usually set by the guest QXL driver, so -the guest can set these to arbitrary values, including malicious values, -which are probably easy to build from the guest PCI configuration. - -This patch fixes the arrays bound check, and adds a test case for this. -This fixes CVE-2019-3813. - -Signed-off-by: Christophe Fergeau ---- - server/memslot.c | 4 ++-- - server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++ - 2 files changed, 32 insertions(+), 2 deletions(-) - -diff --git a/server/memslot.c b/server/memslot.c -index ede77e7..ea6f981 100644 ---- a/server/memslot.c -+++ b/server/memslot.c -@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size - - MemSlot *slot; - -- if (group_id > info->num_memslots_groups) { -+ if (group_id >= info->num_memslots_groups) { - spice_critical("group_id too big"); - return NULL; - } - - slot_id = memslot_get_id(info, addr); -- if (slot_id > info->num_memslots) { -+ if (slot_id >= info->num_memslots) { - print_memslots(info); - spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); - return NULL; -diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c -index 47139a4..5b8d0f2 100644 ---- a/server/tests/test-qxl-parsing.c -+++ b/server/tests/test-qxl-parsing.c -@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) - g_free(from_physical(qxl->u.surface_create.data)); - } - -+static void test_memslot_invalid_group_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 0, 16, 1); -+} -+ -+static void test_memslot_invalid_slot_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0); -+} -+ -+static void test_memslot_invalid_addresses(void) -+{ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); -+ g_test_trap_assert_stderr("*group_id too big*"); -+ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); -+ g_test_trap_assert_stderr("*slot_id 1 too big*"); -+} -+ - static void test_no_issues(void) - { - RedMemSlotInfo mem_info; -@@ -262,6 +287,11 @@ int main(int argc, char *argv[]) - { - g_test_init(&argc, &argv, NULL); - -+ /* try to use invalid memslot group/slot */ -+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); -+ - /* try to create a surface with no issues, should succeed */ - g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); - diff --git a/sources b/sources index e00cf07..19e0123 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (spice-0.14.2.tar.bz2) = 1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 -SHA512 (spice-0.14.2.tar.bz2.sign) = ef7f6806d4c050014e22d9c43b0364766ae98c4b505ecdebd7975e820863e663363b1e19d25bcc20453239a3817e96f9e8ac37c01ec231a06b0ea8129e40af36 +SHA512 (spice-0.14.3.tar.bz2) = 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 +SHA512 (spice-0.14.3.tar.bz2.sign) = 1f1fadebe7b4ecedcc98b6c622d83a39e7cbd6e67699dfde0ed6c3f443ef228578c16e409e2b6d0ef4e2d2b3d54b1d5c1798ac7817db50902a03cc323ba24181 SHA512 (victortoso-E37A484F.keyring) = 091755da8a358c8c8ebd3b5443b4b5eb3c260afed943454c085d48c973de6a42763547c321c64e4da5c1b2983ad0c5146aaeddeb1d54ef414f7e6a530a3bf14a diff --git a/spice.spec b/spice.spec index 875c799..ce41431 100644 --- a/spice.spec +++ b/spice.spec @@ -1,6 +1,6 @@ Name: spice -Version: 0.14.2 -Release: 3%{?dist} +Version: 0.14.3 +Release: 1%{?dist} Summary: Implements the SPICE protocol License: LGPLv2+ URL: http://www.spice-space.org/ @@ -86,7 +86,7 @@ mkdir -p %{buildroot}%{_libexecdir} %files server %{!?_licensedir:%global license %%doc} %license COPYING -%doc README NEWS +%doc README CHANGELOG.md %{_libdir}/libspice-server.so.1* %files server-devel @@ -96,6 +96,9 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog +* Thu Feb 27 2020 Victor Toso - 0.14.3-1 +- Update to 0.14.3 + * Fri Jan 31 2020 Fedora Release Engineering - 0.14.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild