Fix CVE-2019-3813

Fix off-by-one error during guest-to-host memory address conversion Resolves: CVE-2019-3813
2019-01-24 15:21:13 +01:00 · 2019-01-24 15:21:13 +01:00 · d8d79a1fe1
commit d8d79a1fe1
parent 5e7b62fa49
2 changed files with 104 additions and 1 deletions
--- a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+++ b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Thu, 29 Nov 2018 14:18:39 +0100
+Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
+
+RedMemSlotInfo keeps an array of groups, and each group contains an
+array of slots. Unfortunately, these checks are off by 1, they check
+that the index is greater or equal to the number of elements in the
+array, while these arrays are 0 based. The check should only check for
+strictly greater than the number of elements.
+
+For the group array, this is not a big issue, as these memslot groups
+are created by spice-server users (eg QEMU), and the group ids used to
+index that array are also generated by the spice-server user, so it
+should not be possible for the guest to set them to arbitrary values.
+
+The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+address, and such addresses are usually set by the guest QXL driver, so
+the guest can set these to arbitrary values, including malicious values,
+which are probably easy to build from the guest PCI configuration.
+
+This patch fixes the arrays bound check, and adds a test case for this.
+This fixes CVE-2019-3813.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+---
+ server/memslot.c                |  4 ++--
+ server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/server/memslot.c b/server/memslot.c
+index ede77e7..ea6f981 100644
+--- a/server/memslot.c
+++ b/server/memslot.c
+@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
+ 
+     MemSlot *slot;
+ 
+-    if (group_id > info->num_memslots_groups) {
+    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         return NULL;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
+    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         return NULL;
+diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
+index 47139a4..5b8d0f2 100644
+--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
+@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
+     g_free(from_physical(qxl->u.surface_create.data));
+ }
+ 
+static void test_memslot_invalid_group_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 0, 16, 1);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+    g_test_trap_assert_stderr("*group_id too big*");
+
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+    g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
+ static void test_no_issues(void)
+ {
+     RedMemSlotInfo mem_info;
+@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
+ {
+     g_test_init(&argc, &argv, NULL);
+ 
+    /* try to use invalid memslot group/slot */
+    g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
+     /* try to create a surface with no issues, should succeed */
+     g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
+ 
--- a/spice.spec
+++ b/spice.spec
@ -1,12 +1,13 @@
 Name:           spice
 Version:        0.14.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Implements the SPICE protocol
 License:        LGPLv2+
 URL:            http://www.spice-space.org/
 Source0:        http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
 Source1:        http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
 Source2:        cfergeau-29AC6C82.keyring
+Patch1:         0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch

 # https://bugzilla.redhat.com/show_bug.cgi?id=613529
 %if 0%{?rhel} && 0%{?rhel} <= 7
@ -96,6 +97,10 @@ mkdir -p %{buildroot}%{_libexecdir}


 %changelog
+* Tue Feb 05 2019 Christophe Fergeau <cfergeau@redhat.com> - 0.14.1-3
+- Fix off-by-one error during guest-to-host memory address conversion
+  Resolves: CVE-2019-3813
+
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild