File cve-2015-3247.patch of Package spice.4108

Overview Repositories Revisions Requests Users Attributes Meta

File cve-2015-3247.patch of Package spice.4108

From 524eef10c6c6c2f3f30be28c56b8f96adc7901f0 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 9 Jun 2015 08:50:46 +0100
Subject: [PATCH] Avoid race conditions reading monitor configs from guest

For security reasons do not assume guest do not change structures it
pass to Qemu.
Guest could change count field while Qemu is copying QXLMonitorsConfig
structure leading to heap corruption.
This patch avoid it reading count only once.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/red_worker.c | 46 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/server/red_worker.c b/server/red_worker.c
index 9e6a6ad..955cac2 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -11270,7 +11270,8 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc)
 }
 
 static void worker_update_monitors_config(RedWorker *worker,
-                                          QXLMonitorsConfig *dev_monitors_config)
+                                          QXLMonitorsConfig *dev_monitors_config,
+                                          uint16_t count, uint16_t max_allowed)
 {
     int heads_size;
     MonitorsConfig *monitors_config;
@@ -11279,22 +11280,22 @@ static void worker_update_monitors_config(RedWorker *worker,
     monitors_config_decref(worker->monitors_config);
 
     spice_debug("monitors config %d(%d)",
-                dev_monitors_config->count,
-                dev_monitors_config->max_allowed);
-    for (i = 0; i < dev_monitors_config->count; i++) {
+                count,
+                max_allowed);
+    for (i = 0; i < count; i++) {
         spice_debug("+%d+%d %dx%d",
                     dev_monitors_config->heads[i].x,
                     dev_monitors_config->heads[i].y,
                     dev_monitors_config->heads[i].width,
                     dev_monitors_config->heads[i].height);
     }
-    heads_size = dev_monitors_config->count * sizeof(QXLHead);
+    heads_size = count * sizeof(QXLHead);
     worker->monitors_config = monitors_config =
         spice_malloc(sizeof(*monitors_config) + heads_size);
     monitors_config->refs = 1;
     monitors_config->worker = worker;
-    monitors_config->count = dev_monitors_config->count;
-    monitors_config->max_allowed = dev_monitors_config->max_allowed;
+    monitors_config->count = count;
+    monitors_config->max_allowed = max_allowed;
     memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size);
 }
 
@@ -11678,33 +11679,50 @@ void handle_dev_display_migrate(void *opaque, void *payload)
     red_migrate_display(worker, rcc);
 }
 
+static inline uint32_t qxl_monitors_config_size(uint32_t heads)
+{
+    return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads;
+}
+
 static void handle_dev_monitors_config_async(void *opaque, void *payload)
 {
     RedWorkerMessageMonitorsConfigAsync *msg = payload;
     RedWorker *worker = opaque;
-    int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead);
     int error;
+    uint16_t count, max_allowed;
     QXLMonitorsConfig *dev_monitors_config =
         (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
-                                     min_size, msg->group_id, &error);
+                                     qxl_monitors_config_size(1),
+                                     msg->group_id, &error);
 
     if (error) {
         /* TODO: raise guest bug (requires added QXL interface) */
         return;
     }
     worker->driver_cap_monitors_config = 1;
-    if (dev_monitors_config->count == 0) {
+    count = dev_monitors_config->count;
+    max_allowed = dev_monitors_config->max_allowed;
+    if (count == 0) {
         spice_warning("ignoring an empty monitors config message from driver");
         return;
     }
-    if (dev_monitors_config->count > dev_monitors_config->max_allowed) {
+    if (count > max_allowed) {
         spice_warning("ignoring malformed monitors_config from driver, "
                       "count > max_allowed %d > %d",
-                      dev_monitors_config->count,
-                      dev_monitors_config->max_allowed);
+                      count,
+                      max_allowed);
         return;
     }
-    worker_update_monitors_config(worker, dev_monitors_config);
+    /* get pointer again to check virtual size */
+    dev_monitors_config =
+        (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
+                                     qxl_monitors_config_size(count),
+                                     msg->group_id, &error);
+    if (error) {
+        /* TODO: raise guest bug (requires added QXL interface) */
+        return;
+    }
+    worker_update_monitors_config(worker, dev_monitors_config, count, max_allowed);
     red_worker_push_monitors_config(worker);
 }

Places

File cve-2015-3247.patch of Package spice.4108

Places