File 0001-memslot-Fix-off-by-one-error-in-group-slot... of Package spice.10135

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch of Package spice.10135

From 3e1d68efb34b541d78a7038b00b030a8e18aa71c Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Thu, 29 Nov 2018 14:18:39 +0100
Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check

RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.

For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.

The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.

This patch fixes the arrays bound check, and adds a test case for this.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
[BR: BSC#1122706 CVE-2019-3813, test case dropped]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 server/red_memslots.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/red_memslots.c b/server/red_memslots.c
index 1b3ec622..c0590a19 100644
--- a/server/red_memslots.c
+++ b/server/red_memslots.c
@@ -86,14 +86,14 @@ unsigned long get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
     MemSlot *slot;
 
     *error = 0;
-    if (group_id > info->num_memslots_groups) {
+    if (group_id >= info->num_memslots_groups) {
         spice_critical("group_id too big");
         *error = 1;
         return 0;
     }
 
     slot_id = get_memslot_id(info, addr);
-    if (slot_id > info->num_memslots) {
+    if (slot_id >= info->num_memslots) {
         print_memslots(info);
         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
         *error = 1;
-- 
2.20.1

Places

File 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch of Package spice.10135

Places