import spice-0.14.2-1.el8

This commit is contained in:
CentOS Sources 2019-11-05 14:42:09 -05:00 committed by Andrew Lukoshko
parent 509a2d2fe9
commit d6522d8cd0
7 changed files with 27 additions and 432 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/cfergeau-29AC6C82.keyring SOURCES/spice-0.14.2.tar.bz2
SOURCES/spice-0.14.0.tar.bz2 SOURCES/victortoso-E37A484F.keyring

View File

@ -1,2 +1,2 @@
84d3abd436c6f4e194aa3f7a58be17ec9ced0a82 SOURCES/cfergeau-29AC6C82.keyring 83a93e47546d496cf2dcc3f4641db3a285044b9e SOURCES/spice-0.14.2.tar.bz2
93e42588d1aac0a3c127ada1e5d8f40be84776a9 SOURCES/spice-0.14.0.tar.bz2 da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring

View File

@ -1,301 +0,0 @@
From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 18 May 2018 11:41:57 +0100
Subject: [PATCH] Fix flexible array buffer overflow
This is kind of a DoS, possibly flexible array in the protocol
causes the network size check to be ignored due to integer overflows.
The size of flexible array is computed as (message_end - position),
then this size is added to the number of bytes before the array and
this number is used to check if we overflow initial message.
An example is:
message {
uint32 dummy[2];
uint8 data[] @end;
} LenMessage;
which generated this (simplified remove useless code) code:
{ /* data */
data__nelements = message_end - (start + 8);
data__nw_size = data__nelements;
}
nw_size = 8 + data__nw_size;
/* Check if message fits in reported side */
if (nw_size > (uintptr_t) (message_end - start)) {
return NULL;
}
Following code:
- data__nelements == message_end - (start + 8)
- data__nw_size == data__nelements == message_end - (start + 8)
- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
8 + message_end - start - 8 == message_end -start
- the check for overflow is (nw_size > (message_end - start)) but
nw_size == message_end - start so the check is doing
((message_end - start) > (message_end - start)) which is always false.
If message_end - start < 8 then data__nelements (number of element
on the array above) computation generate an integer underflow that
later create a buffer overflow.
Add a check to make sure that the array starts before the message ends
to avoid the overflow.
Difference is:
diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c
--- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100
+++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100
@@ -225,6 +225,9 @@
uint64_t data__nelements;
{ /* data */
+ if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 0);
data__nw_size = data__nelements;
@@ -243,6 +246,9 @@
*free_message = nofree;
return data;
+ error:
+ free(data);
+ return NULL;
}
static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
@@ -301,6 +307,9 @@
SpiceMsgPing *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 12) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 12);
data__nw_size = data__nelements;
@@ -5226,6 +5235,9 @@
uint64_t cursor_data__nw_size;
uint64_t cursor_data__nelements;
{ /* data */
+ if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
+ goto error;
+ }
cursor_data__nelements = message_end - (start2 + 22);
cursor_data__nw_size = cursor_data__nelements;
@@ -5305,6 +5317,9 @@
uint64_t cursor_data__nw_size;
uint64_t cursor_data__nelements;
{ /* data */
+ if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
+ goto error;
+ }
cursor_data__nelements = message_end - (start2 + 22);
cursor_data__nw_size = cursor_data__nelements;
@@ -5540,6 +5555,9 @@
SpiceMsgPlaybackPacket *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 4);
data__nw_size = data__nelements;
@@ -5594,6 +5612,9 @@
SpiceMsgPlaybackMode *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 8) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 8);
data__nw_size = data__nelements;
diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c
--- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100
+++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100
@@ -225,6 +225,9 @@
uint64_t data__nelements;
{ /* data */
+ if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 0);
data__nw_size = data__nelements;
@@ -243,6 +246,9 @@
*free_message = nofree;
return data;
+ error:
+ free(data);
+ return NULL;
}
static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
@@ -301,6 +307,9 @@
SpiceMsgPing *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 12) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 12);
data__nw_size = data__nelements;
@@ -6574,6 +6583,9 @@
}
{ /* data */
+ if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
+ goto error;
+ }
cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
cursor_data__nw_size = cursor_data__nelements;
@@ -6670,6 +6682,9 @@
}
{ /* data */
+ if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
+ goto error;
+ }
cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
cursor_data__nw_size = cursor_data__nelements;
@@ -6907,6 +6922,9 @@
SpiceMsgPlaybackPacket *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 4);
data__nw_size = data__nelements;
@@ -6961,6 +6979,9 @@
SpiceMsgPlaybackMode *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 6) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 6);
data__nw_size = data__nelements;
@@ -7559,6 +7580,9 @@
SpiceMsgTunnelSocketData *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 2) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 2);
data__nw_size = data__nelements;
@@ -7840,6 +7864,9 @@
}
{ /* compressed_data */
+ if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
+ goto error;
+ }
compressed_data__nelements = message_end - (start + 1 + u__nw_size);
compressed_data__nw_size = compressed_data__nelements;
diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c
--- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100
+++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100
@@ -306,6 +306,9 @@
uint64_t data__nelements;
{ /* data */
+ if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 0);
data__nw_size = data__nelements;
@@ -324,6 +327,9 @@
*free_message = nofree;
return data;
+ error:
+ free(data);
+ return NULL;
}
static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
@@ -1259,6 +1265,9 @@
SpiceMsgcRecordPacket *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 4);
data__nw_size = data__nelements;
@@ -1313,6 +1322,9 @@
SpiceMsgcRecordMode *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 6) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 6);
data__nw_size = data__nelements;
@@ -1841,6 +1853,9 @@
SpiceMsgcTunnelSocketData *out;
{ /* data */
+ if (SPICE_UNLIKELY((start + 2) > message_end)) {
+ goto error;
+ }
data__nelements = message_end - (start + 2);
data__nw_size = data__nelements;
@@ -2057,6 +2072,9 @@
}
{ /* compressed_data */
+ if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
+ goto error;
+ }
compressed_data__nelements = message_end - (start + 1 + u__nw_size);
compressed_data__nw_size = compressed_data__nelements;
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
spice-common/python_modules/demarshal.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py
index 1ea131d..7172762 100644
--- a/spice-common/python_modules/demarshal.py
+++ b/spice-common/python_modules/demarshal.py
@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
writer.assign(nelements, array.size)
elif array.is_remaining_length():
if element_type.is_fixed_nw_size():
+ writer.error_check("%s > message_end" % item.get_position())
if element_type.get_fixed_nw_size() == 1:
writer.assign(nelements, "message_end - %s" % item.get_position())
else:
--
2.17.1

View File

@ -1,100 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Thu, 29 Nov 2018 14:18:39 +0100
Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.
For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.
The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.
This patch fixes the arrays bound check, and adds a test case for this.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/memslot.c | 4 ++--
server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/server/memslot.c b/server/memslot.c
index 7074b43..8c59c38 100644
--- a/server/memslot.c
+++ b/server/memslot.c
@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
MemSlot *slot;
*error = 0;
- if (group_id > info->num_memslots_groups) {
+ if (group_id >= info->num_memslots_groups) {
spice_critical("group_id too big");
*error = 1;
return 0;
}
slot_id = memslot_get_id(info, addr);
- if (slot_id > info->num_memslots) {
+ if (slot_id >= info->num_memslots) {
print_memslots(info);
spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
*error = 1;
diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
index 9c0c3b1..83f2083 100644
--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
free(from_physical(qxl->u.surface_create.data));
}
+static void test_memslot_invalid_group_id(void)
+{
+ RedMemSlotInfo mem_info;
+ int error;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 0, 16, 1, &error);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+ RedMemSlotInfo mem_info;
+ int error;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+ g_test_trap_assert_stderr("*group_id too big*");
+
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+ g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
static void test_no_issues(void)
{
RedMemSlotInfo mem_info;
@@ -262,6 +289,11 @@ int main(int argc, char *argv[])
{
g_test_init(&argc, &argv, NULL);
+ /* try to use invalid memslot group/slot */
+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
/* try to create a surface with no issues, should succeed */
g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlneAaYACgkQqdjCFCms
bIJupA//TUYdq6tx777hplIgm4q6M8Szh8XnYEvmj8UUrVWJ2Js4fRgtIRnR/u0I
Drwn2pf5QIjpfhf7EFFhyAuErG9MeiL5Z9SM2WmOgNkPfATJ7tf0VsKQjH11axip
n9atFPz6Jb6IEI56oidhySYz9Rgvicw45yEui7ncMKsST3zTQlWfI+n6Mv48dkiJ
bUYauebvEzPuG5ecaILmHreVxDLh9/SyTKOc3+F46epkyyCxPQDX7JLK/+081Z3l
jUaMlyb0GROsY43c88Lb4H0jbsLlqfUNk5ztxvplwMXOFAgrOwbrIsLaOHSwzegc
5ZknyTwbQOx8CGLS91pgqbyyRKLMrTbMYU4KDfizQIqkNKDvQUohENcKe66aeUAk
LLEvud0VVFZSg+VEm/ISU/8Rua7DSR2tcA04bQg6ei0d/QM0hpXsL7AOB+H3ha0m
vqBrz3ivfvDh17pFCpaSCuRi5DSlT5OW6nML1Pd8w+MbrJmu/757bNpdfhynDSq+
KWmhPIChvChA0f8LfmxGXYqcfNAZ9Ss59SkFLHEaPT49TQR9jZT9jtiHre0GV4WU
RS+CmivFB7fPlONYVOJ2i8mGT9dtVf5SfHwLLgaWzUG5aDK0KSK2o21G4Ajr6bXl
yVDP2EeAjK4WsyD8AvWM3tzSbqnGryA8ErijFZCYuP+HNzrIUeE=
=ufAb
-----END PGP SIGNATURE-----

Binary file not shown.

View File

@ -1,15 +1,13 @@
Name: spice Name: spice
Version: 0.14.0 Version: 0.14.2
Release: 7%{?dist} Release: 1%{?dist}
Summary: Implements the SPICE protocol Summary: Implements the SPICE protocol
Group: User Interface/Desktops Group: User Interface/Desktops
License: LGPLv2+ License: LGPLv2+
URL: http://www.spice-space.org/ URL: https://www.spice-space.org/
Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sig
Source2: cfergeau-29AC6C82.keyring Source2: victortoso-E37A484F.keyring
Patch1: 0001-Fix-flexible-array-buffer-overflow.patch
Patch2: 0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=613529 # https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel} && 0%{?rhel} <= 7 %if 0%{?rhel} && 0%{?rhel} <= 7
@ -19,8 +17,8 @@ ExclusiveArch: %{ix86} x86_64 %{arm} aarch64
%endif %endif
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: glib2-devel >= 2.22 BuildRequires: glib2-devel >= 2.38
BuildRequires: spice-protocol >= 0.12.3 BuildRequires: spice-protocol >= 0.14.0
BuildRequires: celt051-devel BuildRequires: celt051-devel
BuildRequires: opus-devel BuildRequires: opus-devel
BuildRequires: pixman-devel openssl-devel libjpeg-devel BuildRequires: pixman-devel openssl-devel libjpeg-devel
@ -76,7 +74,12 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%build %build
%define configure_client --disable-client %define configure_client --disable-client
%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0 %configure \
--enable-smartcard \
--disable-client \
--enable-lz4 \
--enable-celt051 \
--enable-gstreamer=1.0
make %{?_smp_mflags} WARN_CFLAGS='' V=1 make %{?_smp_mflags} WARN_CFLAGS='' V=1
@ -103,6 +106,15 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog %changelog
* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.14.2-1
- Update to 0.14.2
Resolves: rhbz#1562123
* Fri May 10 2019 Victor Toso <victortoso@redhat.com> - 0.14.0-8
- Fix builds on 8.1.0 branch
- Fix gating test (add bug)
Resolves: rhbz#1686518
* Tue Dec 18 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-7 * Tue Dec 18 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-7
- Fix off-by-one error during guest-to-host memory address conversion - Fix off-by-one error during guest-to-host memory address conversion
Resolves: CVE-2019-3813 Resolves: CVE-2019-3813