Control: tags 920762 + patch Control: tags 920762 + pending Dear maintainer,
I've prepared an NMU for spice (versioned as 0.14.0-1.3) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog --- spice-0.14.0/debian/changelog 2018-10-11 23:41:48.000000000 +0200 +++ spice-0.14.0/debian/changelog 2019-01-28 13:04:44.000000000 +0100 @@ -1,3 +1,11 @@ +spice (0.14.0-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * memslot: Fix off-by-one error in group/slot boundary check (CVE-2019-3813) + (Closes: #920762) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 28 Jan 2019 13:04:44 +0100 + spice (0.14.0-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch --- spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch 2019-01-28 13:04:44.000000000 +0100 @@ -0,0 +1,46 @@ +From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau <cferg...@redhat.com> +Date: Thu, 29 Nov 2018 14:18:39 +0100 +Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary + check + +RedMemSlotInfo keeps an array of groups, and each group contains an +array of slots. Unfortunately, these checks are off by 1, they check +that the index is greater or equal to the number of elements in the +array, while these arrays are 0 based. The check should only check for +strictly greater than the number of elements. + +For the group array, this is not a big issue, as these memslot groups +are created by spice-server users (eg QEMU), and the group ids used to +index that array are also generated by the spice-server user, so it +should not be possible for the guest to set them to arbitrary values. + +The slot id is more problematic, as it's calculated from a QXLPHYSICAL +address, and such addresses are usually set by the guest QXL driver, so +the guest can set these to arbitrary values, including malicious values, +which are probably easy to build from the guest PCI configuration. + +This patch fixes the arrays bound check, and adds a test case for this. + +Signed-off-by: Christophe Fergeau <cferg...@redhat.com> +--- + +--- a/server/memslot.c ++++ b/server/memslot.c +@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlo + MemSlot *slot; + + *error = 0; +- if (group_id > info->num_memslots_groups) { ++ if (group_id >= info->num_memslots_groups) { + spice_critical("group_id too big"); + *error = 1; + return 0; + } + + slot_id = memslot_get_id(info, addr); +- if (slot_id > info->num_memslots) { ++ if (slot_id >= info->num_memslots) { + print_memslots(info); + spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); + *error = 1; diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series --- spice-0.14.0/debian/patches/series 2018-10-11 23:41:48.000000000 +0200 +++ spice-0.14.0/debian/patches/series 2019-01-28 13:04:44.000000000 +0100 @@ -1,2 +1,3 @@ Fix-flexible-array-buffer-overflow.patch refresh-tests-pki-keys.patch +memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch