Blame SOURCES/libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-guest-agent-CVE-2018-1064.patch

147b37
From d0b7ef97c4c5fe871664f2a952c8c3b0b4417d23 Mon Sep 17 00:00:00 2001
147b37
Message-Id: <d0b7ef97c4c5fe871664f2a952c8c3b0b4417d23@dist-git>
147b37
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
147b37
Date: Thu, 1 Mar 2018 14:55:26 +0000
147b37
Subject: [PATCH] qemu: avoid denial of service reading from QEMU guest agent
147b37
 (CVE-2018-1064)
147b37
MIME-Version: 1.0
147b37
Content-Type: text/plain; charset=UTF-8
147b37
Content-Transfer-Encoding: 8bit
147b37
147b37
We read from the agent until seeing a \r\n pair to indicate a completed
147b37
reply or event. To avoid memory denial-of-service though, we must have a
147b37
size limit on amount of data we buffer. 10 MB is large enough that it
147b37
ought to cope with normal agent replies, and small enough that we're not
147b37
consuming unreasonable mem.
147b37
147b37
This is identical to the flaw we had reading from the QEMU monitor
147b37
as CVE-2018-5748, so rather embarrassing that we forgot to fix
147b37
the agent code at the same time.
147b37
147b37
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
147b37
(cherry picked from commit fbf31e1a4cd19d6f6e33e0937a009775cd7d9513)
147b37
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
147b37
Reviewed-by: Ján Tomko <jtomko@redhat.com>
147b37
---
147b37
 src/qemu/qemu_agent.c | 15 +++++++++++++++
147b37
 1 file changed, 15 insertions(+)
147b37
147b37
diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
147b37
index 5d125c4138..9cf767bd8a 100644
147b37
--- a/src/qemu/qemu_agent.c
147b37
+++ b/src/qemu/qemu_agent.c
147b37
@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");
147b37
 #define DEBUG_IO 0
147b37
 #define DEBUG_RAW_IO 0
147b37
 
147b37
+/* We read from QEMU until seeing a \r\n pair to indicate a
147b37
+ * completed reply or event. To avoid memory denial-of-service
147b37
+ * though, we must have a size limit on amount of data we
147b37
+ * buffer. 10 MB is large enough that it ought to cope with
147b37
+ * normal QEMU replies, and small enough that we're not
147b37
+ * consuming unreasonable mem.
147b37
+ */
147b37
+#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)
147b37
+
147b37
 /* When you are the first to uncomment this,
147b37
  * don't forget to uncomment the corresponding
147b37
  * part in qemuAgentIOProcessEvent as well.
147b37
@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)
147b37
     int ret = 0;
147b37
 
147b37
     if (avail < 1024) {
147b37
+        if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {
147b37
+            virReportSystemError(ERANGE,
147b37
+                                 _("No complete agent response found in %d bytes"),
147b37
+                                 QEMU_AGENT_MAX_RESPONSE);
147b37
+            return -1;
147b37
+        }
147b37
         if (VIR_REALLOC_N(mon->buffer,
147b37
                           mon->bufferLength + 1024) < 0)
147b37
             return -1;
147b37
-- 
147b37
2.17.0
147b37