diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-06-22 00:07:44 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2017-06-22 23:25:38 +0200 |
| commit | 087e70498ab25c76cd8542100361f79af7580eb7 (patch) | |
| tree | e07f8d15460aaf9f5f4803a04ecf39aa96f8c36c /package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch | |
| parent | 75057fe76742188455a5218b47cdf4116d84c268 (diff) | |
| download | buildroot-087e70498ab25c76cd8542100361f79af7580eb7.tar.gz buildroot-087e70498ab25c76cd8542100361f79af7580eb7.zip | |
spice: add post-0.12.8 upstream security fixes
Fixes the following security issues:
CVE-2016-9577
Frediano Ziglio of Red Hat discovered a buffer overflow
vulnerability in the main_channel_alloc_msg_rcv_buf function. An
authenticated attacker can take advantage of this flaw to cause a
denial of service (spice server crash), or possibly, execute
arbitrary code.
CVE-2016-9578
Frediano Ziglio of Red Hat discovered that spice does not properly
validate incoming messages. An attacker able to connect to the
spice server could send crafted messages which would cause the
process to crash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch')
| -rw-r--r-- | package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch new file mode 100644 index 0000000000..5bf9b89d17 --- /dev/null +++ b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch @@ -0,0 +1,43 @@ +From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 13 Dec 2016 14:40:10 +0000 +Subject: [PATCH] Prevent integer overflows in capability checks + +The limits for capabilities are specified using 32 bit unsigned integers. +This could cause possible integer overflows causing buffer overflows. +For instance the sum of num_common_caps and num_caps can be 0 avoiding +additional checks. +As the link message is now capped to 4096 and the capabilities are +contained in the link message limit the capabilities to 1024 +(capabilities are expressed in number of uint32_t items). + +[Peter: fixes CVE-2016-9578] +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Acked-by: Christophe Fergeau <cfergeau@redhat.com> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +--- + server/reds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index 86a33d53..91504544 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + ++ /* Prevent DoS. Currently we defined only 13 capabilities, ++ * I expect 1024 to be valid for quite a lot time */ ++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { ++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); ++ reds_link_free(link); ++ return; ++ } ++ + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); + +-- +2.11.0 + |
