|
|
9ae3a8 |
From 27d5bab00da6a59c9eae2e5f66dc985f1a0b95ac Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Date: Mon, 15 Sep 2014 13:08:23 +0200
|
|
|
9ae3a8 |
Subject: [PATCH 4/4] spice: make sure we don't overflow ssd->buf
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Message-id: <1410786503-19794-5-git-send-email-kraxel@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 61136
|
|
|
9ae3a8 |
O-Subject: [RHEL-7.1 qemu-kvm PATCH 4/4] spice: make sure we don't overflow ssd->buf
|
|
|
9ae3a8 |
Bugzilla: 1139118
|
|
|
9ae3a8 |
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Related spice-only bug. We have a fixed 16 MB buffer here, being
|
|
|
9ae3a8 |
presented to the spice-server as qxl video memory in case spice is
|
|
|
9ae3a8 |
used with a non-qxl card. It's also used with qxl in vga mode.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
When using display resolutions requiring more than 16 MB of memory we
|
|
|
9ae3a8 |
are going to overflow that buffer. In theory the guest can write,
|
|
|
9ae3a8 |
indirectly via spice-server. The spice-server clears the memory after
|
|
|
9ae3a8 |
setting a new video mode though, triggering a segfault in the overflow
|
|
|
9ae3a8 |
case, so qemu crashes before the guest has a chance to do something
|
|
|
9ae3a8 |
evil.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Fix that by switching to dynamic allocation for the buffer.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
CVE-2014-3615
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Cc: qemu-stable@nongnu.org
|
|
|
9ae3a8 |
Cc: secalert@redhat.com
|
|
|
9ae3a8 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
9ae3a8 |
(cherry picked from commit ab9509cceabef28071e41bdfa073083859c949a7)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
ui/spice-display.c | 20 +++++++++++++++-----
|
|
|
9ae3a8 |
1 files changed, 15 insertions(+), 5 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
|
|
9ae3a8 |
index 5d0a21e..dc8be8a 100644
|
|
|
9ae3a8 |
--- a/ui/spice-display.c
|
|
|
9ae3a8 |
+++ b/ui/spice-display.c
|
|
|
9ae3a8 |
@@ -291,11 +291,23 @@ void qemu_spice_create_host_memslot(SimpleSpiceDisplay *ssd)
|
|
|
9ae3a8 |
void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)
|
|
|
9ae3a8 |
{
|
|
|
9ae3a8 |
QXLDevSurfaceCreate surface;
|
|
|
9ae3a8 |
+ uint64_t surface_size;
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
memset(&surface, 0, sizeof(surface));
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
- dprint(1, "%s/%d: %dx%d\n", __func__, ssd->qxl.id,
|
|
|
9ae3a8 |
- surface_width(ssd->ds), surface_height(ssd->ds));
|
|
|
9ae3a8 |
+ surface_size = (uint64_t) surface_width(ssd->ds) *
|
|
|
9ae3a8 |
+ surface_height(ssd->ds) * 4;
|
|
|
9ae3a8 |
+ assert(surface_size > 0);
|
|
|
9ae3a8 |
+ assert(surface_size < INT_MAX);
|
|
|
9ae3a8 |
+ if (ssd->bufsize < surface_size) {
|
|
|
9ae3a8 |
+ ssd->bufsize = surface_size;
|
|
|
9ae3a8 |
+ g_free(ssd->buf);
|
|
|
9ae3a8 |
+ ssd->buf = g_malloc(ssd->bufsize);
|
|
|
9ae3a8 |
+ }
|
|
|
9ae3a8 |
+
|
|
|
9ae3a8 |
+ dprint(1, "%s/%d: %ux%u (size %" PRIu64 "/%d)\n", __func__, ssd->qxl.id,
|
|
|
9ae3a8 |
+ surface_width(ssd->ds), surface_height(ssd->ds),
|
|
|
9ae3a8 |
+ surface_size, ssd->bufsize);
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
surface.format = SPICE_SURFACE_FMT_32_xRGB;
|
|
|
9ae3a8 |
surface.width = surface_width(ssd->ds);
|
|
|
9ae3a8 |
@@ -326,8 +338,6 @@ void qemu_spice_display_init_common(SimpleSpiceDisplay *ssd)
|
|
|
9ae3a8 |
if (ssd->num_surfaces == 0) {
|
|
|
9ae3a8 |
ssd->num_surfaces = 1024;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
- ssd->bufsize = (16 * 1024 * 1024);
|
|
|
9ae3a8 |
- ssd->buf = g_malloc(ssd->bufsize);
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
/* display listener callbacks */
|
|
|
9ae3a8 |
@@ -446,7 +456,7 @@ static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)
|
|
|
9ae3a8 |
info->num_memslots = NUM_MEMSLOTS;
|
|
|
9ae3a8 |
info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
|
|
|
9ae3a8 |
info->internal_groupslot_id = 0;
|
|
|
9ae3a8 |
- info->qxl_ram_size = ssd->bufsize;
|
|
|
9ae3a8 |
+ info->qxl_ram_size = 16 * 1024 * 1024;
|
|
|
9ae3a8 |
info->n_surfaces = ssd->num_surfaces;
|
|
|
9ae3a8 |
}
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.7.1
|
|
|
9ae3a8 |
|