rpms/spice
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2019-3813

Browse Source 
Fix off-by-one error during guest-to-host memory address conversion

Resolves: CVE-2019-3813
This commit is contained in:
Christophe Fergeau 2019-01-24 15:21:13 +01:00
parent 5e7b62fa49
commit d8d79a1fe1
2 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch Normal file
View File

@ -0,0 +1,98 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Thu, 29 Nov 2018 14:18:39 +0100
Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.
For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.
The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.
This patch fixes the arrays bound check, and adds a test case for this.
This fixes CVE-2019-3813.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/memslot.c | 4 ++--
server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/server/memslot.c b/server/memslot.c
index ede77e7..ea6f981 100644
--- a/server/memslot.c
+++ b/server/memslot.c
@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
MemSlot *slot;
- if (group_id > info->num_memslots_groups) {
+ if (group_id >= info->num_memslots_groups) {
spice_critical("group_id too big");
return NULL;
}
slot_id = memslot_get_id(info, addr);
- if (slot_id > info->num_memslots) {
+ if (slot_id >= info->num_memslots) {
print_memslots(info);
spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
return NULL;
diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
index 47139a4..5b8d0f2 100644
--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
g_free(from_physical(qxl->u.surface_create.data));
}
+static void test_memslot_invalid_group_id(void)
+{
+ RedMemSlotInfo mem_info;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 0, 16, 1);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+ RedMemSlotInfo mem_info;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+ g_test_trap_assert_stderr("*group_id too big*");
+
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+ g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
static void test_no_issues(void)
{
RedMemSlotInfo mem_info;
@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
{
g_test_init(&argc, &argv, NULL);
+ /* try to use invalid memslot group/slot */
+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
/* try to create a surface with no issues, should succeed */
g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);

7
spice.spec
View File

@ -1,12 +1,13 @@
Name: spice Name: spice
Version: 0.14.1 Version: 0.14.1
Release: 2%{?dist} Release: 3%{?dist}
Summary: Implements the SPICE protocol Summary: Implements the SPICE protocol
License: LGPLv2+ License: LGPLv2+
URL: http://www.spice-space.org/ URL: http://www.spice-space.org/
Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
Source2: cfergeau-29AC6C82.keyring Source2: cfergeau-29AC6C82.keyring
Patch1: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=613529 # https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel} && 0%{?rhel} <= 7 %if 0%{?rhel} && 0%{?rhel} <= 7
@ -96,6 +97,10 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog %changelog
* Tue Feb 05 2019 Christophe Fergeau <cfergeau@redhat.com> - 0.14.1-3
- Fix off-by-one error during guest-to-host memory address conversion
Resolves: CVE-2019-3813
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.1-2 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild