Hello community, here is the log from the commit of package spice for openSUSE:Factory checked in at 2015-09-19 06:52:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice (Old) and /work/SRC/openSUSE:Factory/.spice.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice" Changes: -------- --- /work/SRC/openSUSE:Factory/spice/spice.changes 2015-06-06 09:53:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.spice.new/spice.changes 2015-09-19 06:52:59.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Sep 7 14:50:25 UTC 2015 - cbosdon...@suse.com + +- bsc#944460: fix CVE-2015-3247. + cve-2015-3247.patch + +------------------------------------------------------------------- New: ---- cve-2015-3247.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice.spec ++++++ --- /var/tmp/diff_new_pack.0b8EQP/_old 2015-09-19 06:53:00.000000000 +0200 +++ /var/tmp/diff_new_pack.0b8EQP/_new 2015-09-19 06:53:00.000000000 +0200 @@ -29,6 +29,8 @@ Patch0: spice-Don-t-use-48kHz-for-playback-recording-rates.patch # PATCH-FIX-UPSTREAM password-length-check.patch boo#931044 cbosdon...@suse.com -- Don't allow too long passwords Patch1: password-length-check.patch +# PATCH-FIX-UPSTREAM cve-2015-3247.patch cbosdon...@suse.com -- fix cve-2015-3247 +Patch2: cve-2015-3247.patch # Build-time parameters BuildRequires: alsa-devel BuildRequires: celt051-devel @@ -90,6 +92,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %configure \ ++++++ cve-2015-3247.patch ++++++ >From 524eef10c6c6c2f3f30be28c56b8f96adc7901f0 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fzig...@redhat.com> Date: Tue, 9 Jun 2015 08:50:46 +0100 Subject: [PATCH] Avoid race conditions reading monitor configs from guest For security reasons do not assume guest do not change structures it pass to Qemu. Guest could change count field while Qemu is copying QXLMonitorsConfig structure leading to heap corruption. This patch avoid it reading count only once. Signed-off-by: Frediano Ziglio <fzig...@redhat.com> --- server/red_worker.c | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/server/red_worker.c b/server/red_worker.c index 9e6a6ad..955cac2 100644 --- a/server/red_worker.c +++ b/server/red_worker.c @@ -11270,7 +11270,8 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc) } static void worker_update_monitors_config(RedWorker *worker, - QXLMonitorsConfig *dev_monitors_config) + QXLMonitorsConfig *dev_monitors_config, + uint16_t count, uint16_t max_allowed) { int heads_size; MonitorsConfig *monitors_config; @@ -11279,22 +11280,22 @@ static void worker_update_monitors_config(RedWorker *worker, monitors_config_decref(worker->monitors_config); spice_debug("monitors config %d(%d)", - dev_monitors_config->count, - dev_monitors_config->max_allowed); - for (i = 0; i < dev_monitors_config->count; i++) { + count, + max_allowed); + for (i = 0; i < count; i++) { spice_debug("+%d+%d %dx%d", dev_monitors_config->heads[i].x, dev_monitors_config->heads[i].y, dev_monitors_config->heads[i].width, dev_monitors_config->heads[i].height); } - heads_size = dev_monitors_config->count * sizeof(QXLHead); + heads_size = count * sizeof(QXLHead); worker->monitors_config = monitors_config = spice_malloc(sizeof(*monitors_config) + heads_size); monitors_config->refs = 1; monitors_config->worker = worker; - monitors_config->count = dev_monitors_config->count; - monitors_config->max_allowed = dev_monitors_config->max_allowed; + monitors_config->count = count; + monitors_config->max_allowed = max_allowed; memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); } @@ -11678,33 +11679,50 @@ void handle_dev_display_migrate(void *opaque, void *payload) red_migrate_display(worker, rcc); } +static inline uint32_t qxl_monitors_config_size(uint32_t heads) +{ + return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; +} + static void handle_dev_monitors_config_async(void *opaque, void *payload) { RedWorkerMessageMonitorsConfigAsync *msg = payload; RedWorker *worker = opaque; - int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); int error; + uint16_t count, max_allowed; QXLMonitorsConfig *dev_monitors_config = (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, - min_size, msg->group_id, &error); + qxl_monitors_config_size(1), + msg->group_id, &error); if (error) { /* TODO: raise guest bug (requires added QXL interface) */ return; } worker->driver_cap_monitors_config = 1; - if (dev_monitors_config->count == 0) { + count = dev_monitors_config->count; + max_allowed = dev_monitors_config->max_allowed; + if (count == 0) { spice_warning("ignoring an empty monitors config message from driver"); return; } - if (dev_monitors_config->count > dev_monitors_config->max_allowed) { + if (count > max_allowed) { spice_warning("ignoring malformed monitors_config from driver, " "count > max_allowed %d > %d", - dev_monitors_config->count, - dev_monitors_config->max_allowed); + count, + max_allowed); return; } - worker_update_monitors_config(worker, dev_monitors_config); + /* get pointer again to check virtual size */ + dev_monitors_config = + (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, + qxl_monitors_config_size(count), + msg->group_id, &error); + if (error) { + /* TODO: raise guest bug (requires added QXL interface) */ + return; + } + worker_update_monitors_config(worker, dev_monitors_config, count, max_allowed); red_worker_push_monitors_config(worker); }