File CVE-2016-0749-smartcard-allocate-msg-with-the-e... of Package spice

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-0749-smartcard-allocate-msg-with-the-expected-size.patch of Package spice (Revision 0fd393f9a9b4322175574672b84dbd75)

Currently displaying revision 0fd393f9a9b4322175574672b84dbd75 , Show latest

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
Date: Thu, 17 Dec 2015 18:16:22 +0100
Subject: [PATCH] smartcard: allocate msg with the expected size

==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0
WRITE of size 4 at 0x60040009c098 thread T0
    #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334
    #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
    #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
    #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
    #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
    #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
    #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098)
allocated by thread T0 here:
    #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92
    #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123
    #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516
    #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557
    #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325
    #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
---
 server/smartcard.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/smartcard.c b/server/smartcard.c
index 8d529fe..3043ad1 100644
--- a/server/smartcard.c
+++ b/server/smartcard.c
@@ -325,7 +325,7 @@ static void smartcard_char_device_notify_reader_add(SmartCardDeviceState *st)
     SpiceCharDeviceWriteBuffer *write_buf;
     VSCMsgHeader *vheader;
 
-    write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader));
+    write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader));
     if (!write_buf) {
         spice_error("failed to allocate write buffer");
         return;
@@ -372,7 +372,7 @@ static void smartcard_char_device_notify_reader_remove(SmartCardDeviceState *st)
         spice_debug("reader add was never sent to the device");
         return;
     }
-    write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader));
+    write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader));
     if (!write_buf) {
         spice_error("failed to allocate write buffer");
         return;

Places

File CVE-2016-0749-smartcard-allocate-msg-with-the-expected-size.patch of Package spice (Revision 0fd393f9a9b4322175574672b84dbd75)

Places