Hello community, here is the log from the commit of package spice for openSUSE:Factory checked in at 2019-02-13 10:16:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice (Old) and /work/SRC/openSUSE:Factory/.spice.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice" Wed Feb 13 10:16:06 2019 rev:31 rq:669352 version:0.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/spice/spice.changes 2018-10-01 09:03:31.103991260 +0200 +++ /work/SRC/openSUSE:Factory/.spice.new.28833/spice.changes 2019-02-13 10:16:09.097385835 +0100 @@ -1,0 +2,8 @@ +Mon Jan 28 17:39:01 UTC 2019 - Bruce Rogers <brog...@suse.com> + +- Fix OOB memory access in internal tracking of slot_ids and + group_ids. (CVE-2019-3813 bsc#1122706) + * 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +- Remove celt051 Requires directive + +------------------------------------------------------------------- New: ---- 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice.spec ++++++ --- /var/tmp/diff_new_pack.Xcvy7B/_old 2019-02-13 10:16:09.929385518 +0100 +++ /var/tmp/diff_new_pack.Xcvy7B/_new 2019-02-13 10:16:09.933385516 +0100 @@ -1,7 +1,7 @@ # # spec file for package spice # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -43,6 +43,7 @@ # PATCH-FIX-UPSTREAM - CVE-2018-10893 Patch0: 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch Patch1: 0002-lz-More-checks-on-image-sizes.patch +Patch2: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch BuildRequires: gcc-c++ BuildRequires: libjpeg-devel BuildRequires: pkgconfig @@ -66,7 +67,6 @@ BuildRequires: pkgconfig(xrandr) BuildRequires: pkgconfig(xrender) BuildRequires: pkgconfig(zlib) -Requires: celt051 %if %{with celt051} BuildRequires: pkgconfig(celt051) %endif @@ -108,6 +108,7 @@ %patch0 -p1 %patch1 -p1 popd +%patch2 -p1 %build export PYTHON=%{_bindir}/python3 ++++++ 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch ++++++ >From 39af4b1e67e9bc0b597f4731ffbdc6db206fdf1c Mon Sep 17 00:00:00 2001 From: Christophe Fergeau <cferg...@redhat.com> Date: Thu, 29 Nov 2018 14:18:39 +0100 Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check RedMemSlotInfo keeps an array of groups, and each group contains an array of slots. Unfortunately, these checks are off by 1, they check that the index is greater or equal to the number of elements in the array, while these arrays are 0 based. The check should only check for strictly greater than the number of elements. For the group array, this is not a big issue, as these memslot groups are created by spice-server users (eg QEMU), and the group ids used to index that array are also generated by the spice-server user, so it should not be possible for the guest to set them to arbitrary values. The slot id is more problematic, as it's calculated from a QXLPHYSICAL address, and such addresses are usually set by the guest QXL driver, so the guest can set these to arbitrary values, including malicious values, which are probably easy to build from the guest PCI configuration. This patch fixes the arrays bound check, and adds a test case for this. Signed-off-by: Christophe Fergeau <cferg...@redhat.com> [BR: BSC#1122706 CVE-2019-3813] Signed-off-by: Bruce Rogers <brog...@suse.com> --- server/memslot.c | 4 ++-- server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/server/memslot.c b/server/memslot.c index ede77e7a..ea6f9815 100644 --- a/server/memslot.c +++ b/server/memslot.c @@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size MemSlot *slot; - if (group_id > info->num_memslots_groups) { + if (group_id >= info->num_memslots_groups) { spice_critical("group_id too big"); return NULL; } slot_id = memslot_get_id(info, addr); - if (slot_id > info->num_memslots) { + if (slot_id >= info->num_memslots) { print_memslots(info); spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); return NULL; diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c index 47139a48..5b8d0f26 100644 --- a/server/tests/test-qxl-parsing.c +++ b/server/tests/test-qxl-parsing.c @@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) g_free(from_physical(qxl->u.surface_create.data)); } +static void test_memslot_invalid_group_id(void) +{ + RedMemSlotInfo mem_info; + init_meminfo(&mem_info); + + memslot_get_virt(&mem_info, 0, 16, 1); +} + +static void test_memslot_invalid_slot_id(void) +{ + RedMemSlotInfo mem_info; + init_meminfo(&mem_info); + + memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0); +} + +static void test_memslot_invalid_addresses(void) +{ + g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); + g_test_trap_assert_stderr("*group_id too big*"); + + g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); + g_test_trap_assert_stderr("*slot_id 1 too big*"); +} + static void test_no_issues(void) { RedMemSlotInfo mem_info; @@ -262,6 +287,11 @@ int main(int argc, char *argv[]) { g_test_init(&argc, &argv, NULL); + /* try to use invalid memslot group/slot */ + g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); + g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); + g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); + /* try to create a surface with no issues, should succeed */ g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); -- 2.20.1