Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578

This commit is contained in:
Christophe Fergeau 2017-02-06 18:44:11 +01:00
parent b9a1c60a98
commit d919d639ae
4 changed files with 140 additions and 2 deletions

View File

@ -0,0 +1,59 @@
From ec124b982abcd23364963ffcd4c370b1ec962fc9 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:39:48 +0000
Subject: [spice-server 1/3] Prevent possible DoS attempts during protocol
handshake
The limit for link message is specified using a 32 bit unsigned integer.
This could cause possible DoS due to excessive memory allocations and
some possible crashes.
For instance a value >= 2^31 causes a spice_assert to be triggered in
async_read_handler (reds-stream.c) due to an integer overflow at this
line:
int n = async->end - async->now;
This could be easily triggered with a program like
#!/usr/bin/env python
import socket
import time
from struct import pack
server = '127.0.0.1'
port = 5900
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
s.send(data)
time.sleep(1)
without requiring any authentication (the same can be done
with TLS).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/reds.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/server/reds.c b/server/reds.c
index 8ef4efe..e7ebc43 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2270,7 +2270,8 @@ static void reds_handle_read_header_done(void *opaque)
return;
}
- if (header->size < sizeof(SpiceLinkMess)) {
+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
spice_warning("bad size %u", header->size);
reds_link_free(link);
--
2.9.3

View File

@ -0,0 +1,41 @@
From e16eee1d8be00b186437bf61e4e1871cd8d0211a Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:40:10 +0000
Subject: [spice-server 2/3] Prevent integer overflows in capability checks
The limits for capabilities are specified using 32 bit unsigned integers.
This could cause possible integer overflows causing buffer overflows.
For instance the sum of num_common_caps and num_caps can be 0 avoiding
additional checks.
As the link message is now capped to 4096 and the capabilities are
contained in the link message limit the capabilities to 1024
(capabilities are expressed in number of uint32_t items).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/reds.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/server/reds.c b/server/reds.c
index e7ebc43..953a95a 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2186,6 +2186,14 @@ static void reds_handle_read_link_done(void *opaque)
link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ /* Prevent DoS. Currently we defined only 13 capabilities,
+ * I expect 1024 to be valid for quite a lot time */
+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+ reds_link_free(link);
+ return;
+ }
+
num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
--
2.9.3

View File

@ -0,0 +1,32 @@
From 1d3e26c0ee75712fa4bbbcfa09d8d5866b66c8af Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 29 Nov 2016 16:46:56 +0000
Subject: [spice-server 3/3] main-channel: Prevent overflow reading messages
from client
Caller is supposed the function return a buffer able to store
size bytes.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/main-channel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/main-channel.c b/server/main-channel.c
index 24dd448..1124506 100644
--- a/server/main-channel.c
+++ b/server/main-channel.c
@@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size);
+ } else if (size > sizeof(main_chan->recv_buf)) {
+ /* message too large, caller will log a message and close the connection */
+ return NULL;
} else {
return main_chan->recv_buf;
}
--
2.9.3

View File

@ -1,6 +1,6 @@
Name: spice
Version: 0.13.3
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Implements the SPICE protocol
Group: User Interface/Desktops
License: LGPLv2+
@ -8,6 +8,9 @@ URL: http://www.spice-space.org/
Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
Source2: cfergeau-29AC6C82.keyring
Patch1: 0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
Patch2: 0002-Prevent-integer-overflows-in-capability-checks.patch
Patch3: 0003-main-channel-Prevent-overflow-reading-messages-from-.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel}
@ -65,7 +68,7 @@ using spice-server, you will need to install spice-server-devel.
%prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%setup -q
%autosetup -S git_am
%build
@ -98,6 +101,9 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog
* Mon Feb 06 2017 Christophe Fergeau <cfergeau@redhat.com> 0.13.3-2
- Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578
* Mon Nov 21 2016 Christophe Fergeau <cfergeau@redhat.com> 0.13.3-1
- Update to spice 0.13.3