Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
qemu.9341
0248-io-monitor-encoutput-buffer-size-fr.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0248-io-monitor-encoutput-buffer-size-fr.patch of Package qemu.9341
From b33fb0ee4c6bff833f2762d5b8db1721fdc75b2b Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" <berrange@redhat.com> Date: Wed, 18 Oct 2017 14:51:33 -0600 Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource The websocket GSource is monitoring the size of the rawoutput buffer to determine if the channel can accepts more writes. The rawoutput buffer, however, is merely a temporary staging buffer before data is copied into the encoutput buffer. Thus its size will always be zero when the GSource runs. This flaw causes the encoutput buffer to grow without bound if the other end of the underlying data channel doesn't read data being sent. This can be seen with VNC if a client is on a slow WAN link and the guest OS is sending many screen updates. A malicious VNC client can act like it is on a slow link by playing a video in the guest and then reading data very slowly, causing QEMU host memory to expand arbitrarily. This issue is assigned CVE-2017-15268, publically reported in https://bugs.launchpad.net/qemu/+bug/1718964 (cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493) Reviewed-by: Eric Blake <eblake@redhat.com> [Dan: Added extra checks to deal with code refactored in master but not stable 2.10] Signed-off-by: Daniel P. Berrange <berrange@redhat.com> [BR: BSC#1062942 CVE-2017-15268] Signed-off-by: Bruce Rogers <brogers@suse.com> --- io/channel-websock.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/io/channel-websock.c b/io/channel-websock.c index d5a4ed3f9c..d97358dfbf 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -25,7 +25,7 @@ #include "trace.h" -/* Max amount to allow in rawinput/rawoutput buffers */ +/* Max amount to allow in rawinput/encoutput buffers */ #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 @@ -853,7 +853,7 @@ qio_channel_websock_source_prepare(GSource *source, if (wsource->wioc->rawinput.offset) { cond |= G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |= G_IO_OUT; } @@ -869,7 +869,7 @@ qio_channel_websock_source_check(GSource *source) if (wsource->wioc->rawinput.offset) { cond |= G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |= G_IO_OUT; } @@ -888,7 +888,7 @@ qio_channel_websock_source_dispatch(GSource *source, if (wsource->wioc->rawinput.offset) { cond |= G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |= G_IO_OUT; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor