package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch - buildroot - Git at Google

 From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001
 From: Frediano Ziglio <fziglio@redhat.com>
 Date: Mon, 15 May 2017 15:57:28 +0100
 Subject: [PATCH] reds: Avoid buffer overflows handling monitor
  configuration

 It was also possible for a malicious client to set
 VDAgentMonitorsConfig::num_of_monitors to a number larger
 than the actual size of VDAgentMOnitorsConfig::monitors.
 This would lead to buffer overflows, which could allow the guest to
 read part of the host memory. This might cause write overflows in the
 host as well, but controlling the content of such buffers seems
 complicated.

 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  server/reds.c | 7 +++++++
  1 file changed, 7 insertions(+)

 diff --git a/server/reds.c b/server/reds.c
 index e1c8c108..3a42c375 100644
 --- a/server/reds.c
 +++ b/server/reds.c
 @@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config(
      VDAgentMessage *msg_header;
      VDAgentMonitorsConfig *monitors_config;
      RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
 +    uint32_t max_monitors;

      // limit size of message sent by the client as this can cause a DoS through
      // memory exhaustion, or potentially some integer overflows
 @@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config(
          goto overflow;
      }
      monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
 +    // limit the monitor number to avoid buffer overflows
 +    max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
 +                   sizeof(VDAgentMonConfig);
 +    if (monitors_config->num_of_monitors > max_monitors) {
 +        goto overflow;
 +    }
      spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
      red_dispatcher_client_monitors_config(monitors_config);
      reds_client_monitors_config_cleanup();
 --
 2.11.0
	From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001
	From: Frediano Ziglio <fziglio@redhat.com>
	Date: Mon, 15 May 2017 15:57:28 +0100
	Subject: [PATCH] reds: Avoid buffer overflows handling monitor
	configuration

	It was also possible for a malicious client to set
	VDAgentMonitorsConfig::num_of_monitors to a number larger
	than the actual size of VDAgentMOnitorsConfig::monitors.
	This would lead to buffer overflows, which could allow the guest to
	read part of the host memory. This might cause write overflows in the
	host as well, but controlling the content of such buffers seems
	complicated.

	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	---
	server/reds.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	diff --git a/server/reds.c b/server/reds.c
	index e1c8c108..3a42c375 100644
	--- a/server/reds.c
	+++ b/server/reds.c
	@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config(
	VDAgentMessage *msg_header;
	VDAgentMonitorsConfig *monitors_config;
	RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
	+ uint32_t max_monitors;

	// limit size of message sent by the client as this can cause a DoS through
	// memory exhaustion, or potentially some integer overflows
	@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config(
	goto overflow;
	}
	monitors_config = (VDAgentMonitorsConfig )(cmc->buffer + sizeof(msg_header));
	+ // limit the monitor number to avoid buffer overflows
	+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
	+ sizeof(VDAgentMonConfig);
	+ if (monitors_config->num_of_monitors > max_monitors) {
	+ goto overflow;
	+ }
	spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
	red_dispatcher_client_monitors_config(monitors_config);
	reds_client_monitors_config_cleanup();
	--
	2.11.0