spice: fix CVE-2017-7506

CVE-2017-7506: spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak. Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-7506 Patches from: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=ec6229c79abe05d731953df5f7e9a05ec9f6df79 https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=a957a90baf2c62d31f3547e56bba7d0e812d2331 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Yi Zhao <yi.zhao@windriver.com> 2017-09-22 10:03:05 +0800
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2017-09-29 14:36:03 -0400
commit: 921dca953cea111a3c579e890cf9d95a6276b7d2 (patch)
tree: a3dc13751a89e3910e9d384063236c2d48beec52
parent: 87affd0e8d235c1786b1e6230dc796db0a6824ea (diff)
download: meta-cloud-services-921dca953cea111a3c579e890cf9d95a6276b7d2.tar.gz
4 files changed, 175 insertions, 0 deletions
diff --git a/recipes-support/spice/files/CVE-2017-7506-1.patch b/recipes-support/spice/files/CVE-2017-7506-1.patch
new file mode 100644
index 0000000..1975aca
--- /dev/null
+++ b/recipes-support/spice/files/CVE-2017-7506-1.patch
@@ -0,0 +1,81 @@
+From 2e521a9db27e1ed31bf5fbed437208bf7f1c77a1 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 1/3] reds: Disconnect when receiving overly big
+ ClientMonitorsConfig
+Total message size received from the client was unlimited. There is
+a 2kiB size check on individual agent messages, but the MonitorsConfig
+message can be split in multiple chunks, and the size of the
+non-chunked MonitorsConfig message was never checked. This could easily
+lead to memory exhaustion on the host.
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Upstream-Status: Backport
+[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d]
+CVE: CVE-2017-7506
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ server/reds.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+diff --git a/server/reds.c b/server/reds.c
+index 30d0652..701d5d8 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -1086,19 +1086,34 @@ static void reds_client_monitors_config_cleanup(void)
+ static void reds_on_main_agent_monitors_config(
+         MainChannelClient *mcc, void *message, size_t size)
+ {
+    const unsigned int MAX_MONITORS = 256;
+    const unsigned int MAX_MONITOR_CONFIG_SIZE =
+       sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
+
+     VDAgentMessage *msg_header;
+     VDAgentMonitorsConfig *monitors_config;
+     RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+ 
+    // limit size of message sent by the client as this can cause a DoS through
+    // memory exhaustion, or potentially some integer overflows
+    if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) {
+        goto overflow;
+    }
+     cmc->buffer_size += size;
+     cmc->buffer = realloc(cmc->buffer, cmc->buffer_size);
+     spice_assert(cmc->buffer);
+     cmc->mcc = mcc;
+     memcpy(cmc->buffer + cmc->buffer_pos, message, size);
+     cmc->buffer_pos += size;
+    if (sizeof(VDAgentMessage) > cmc->buffer_size) {
+        spice_debug("not enough data yet. %d", cmc->buffer_size);
+        return;
+    }
+     msg_header = (VDAgentMessage *)cmc->buffer;
+-    if (sizeof(VDAgentMessage) > cmc->buffer_size ||
+-            msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
+    if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
+        goto overflow;
+    }
+    if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
+         spice_debug("not enough data yet. %d\n", cmc->buffer_size);
+         return;
+     }
+@@ -1106,6 +1121,12 @@ static void reds_on_main_agent_monitors_config(
+     spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+     reds_client_monitors_config_cleanup();
+    return;
+
+overflow:
+    spice_warning("received invalid MonitorsConfig request from client, disconnecting");
+    red_channel_client_disconnect(main_channel_client_get_base(mcc));
+    reds_client_monitors_config_cleanup();
+ }
+ 
+ void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size)
+-- 
+2.7.4
diff --git a/recipes-support/spice/files/CVE-2017-7506-2.patch b/recipes-support/spice/files/CVE-2017-7506-2.patch
new file mode 100644
index 0000000..a517b08
--- /dev/null
+++ b/recipes-support/spice/files/CVE-2017-7506-2.patch
@@ -0,0 +1,37 @@
+From 6934f036240753a14514a71ede8bb44af2043f24 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor
+ configuration
+Avoid VDAgentMessage::size integer overflows.
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Upstream-Status: Backport
+[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=ec6229c79abe05d731953df5f7e9a05ec9f6df79]
+CVE: CVE-2017-7506
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ server/reds.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/server/reds.c b/server/reds.c
+index 701d5d8..62b1164 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -1117,6 +1117,9 @@ static void reds_on_main_agent_monitors_config(
+         spice_debug("not enough data yet. %d\n", cmc->buffer_size);
+         return;
+     }
+    if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
+        goto overflow;
+    }
+     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+     spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+-- 
+2.7.4
diff --git a/recipes-support/spice/files/CVE-2017-7506-3.patch b/recipes-support/spice/files/CVE-2017-7506-3.patch
new file mode 100644
index 0000000..d55502f
--- /dev/null
+++ b/recipes-support/spice/files/CVE-2017-7506-3.patch
@@ -0,0 +1,54 @@
+From daedc2e2bb70f7cb0eafd65fd37fd73af12df770 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
+ configuration
+It was also possible for a malicious client to set
+VDAgentMonitorsConfig::num_of_monitors to a number larger
+than the actual size of VDAgentMOnitorsConfig::monitors.
+This would lead to buffer overflows, which could allow the guest to
+read part of the host memory. This might cause write overflows in the
+host as well, but controlling the content of such buffers seems
+complicated.
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Upstream-Status: Backport
+[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=a957a90baf2c62d31f3547e56bba7d0e812d2331]
+CVE: CVE-2017-7506
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ server/reds.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/server/reds.c b/server/reds.c
+index 62b1164..ee36dec 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -1093,6 +1093,7 @@ static void reds_on_main_agent_monitors_config(
+     VDAgentMessage *msg_header;
+     VDAgentMonitorsConfig *monitors_config;
+     RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+    uint32_t max_monitors;
+ 
+     // limit size of message sent by the client as this can cause a DoS through
+     // memory exhaustion, or potentially some integer overflows
+@@ -1121,6 +1122,12 @@ static void reds_on_main_agent_monitors_config(
+         goto overflow;
+     }
+     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+    // limit the monitor number to avoid buffer overflows
+    max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
+                   sizeof(VDAgentMonConfig);
+    if (monitors_config->num_of_monitors > max_monitors) {
+        goto overflow;
+    }
+     spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+     reds_client_monitors_config_cleanup();
+-- 
+2.7.4
diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb
index 04e7a25..c0fdd9c 100644
--- a/recipes-support/spice/spice_git.bb
+++ b/recipes-support/spice/spice_git.bb
@@ -38,6 +38,9 @@ SRC_URI += " \
        file://0001-red_parse_qxl-Fix-BITMAP_FMT_IS_RGB-defined-but-not-.patch \
        file://0001-Use-PRI-macros-in-printf-to-keep-compatibility-betwe.patch \
        file://Fix-build-issues-with-gcc-7.patch \
+        file://CVE-2017-7506-1.patch \
+        file://CVE-2017-7506-2.patch \
+        file://CVE-2017-7506-3.patch \
        "
 S = "${WORKDIR}/git"
author	Yi Zhao <yi.zhao@windriver.com>	2017-09-22 10:03:05 +0800
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2017-09-29 14:36:03 -0400
commit	921dca953cea111a3c579e890cf9d95a6276b7d2 (patch)
tree	a3dc13751a89e3910e9d384063236c2d48beec52
parent	87affd0e8d235c1786b1e6230dc796db0a6824ea (diff)
download	meta-cloud-services-921dca953cea111a3c579e890cf9d95a6276b7d2.tar.gz

diff --git a/recipes-support/spice/files/CVE-2017-7506-1.patch b/recipes-support/spice/files/CVE-2017-7506-1.patch new file mode 100644 index 0000000..1975aca --- /dev/null +++ b/recipes-support/spice/files/CVE-2017-7506-1.patch
@@ -0,0 +1,81 @@
		1	From 2e521a9db27e1ed31bf5fbed437208bf7f1c77a1 Mon Sep 17 00:00:00 2001
		2	From: Frediano Ziglio <fziglio@redhat.com>
		3	Date: Mon, 15 May 2017 15:57:28 +0100
		4	Subject: [PATCH 1/3] reds: Disconnect when receiving overly big
		5	ClientMonitorsConfig
		6
		7	Total message size received from the client was unlimited. There is
		8	a 2kiB size check on individual agent messages, but the MonitorsConfig
		9	message can be split in multiple chunks, and the size of the
		10	non-chunked MonitorsConfig message was never checked. This could easily
		11	lead to memory exhaustion on the host.
		12
		13	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
		14
		15	Upstream-Status: Backport
		16	[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d]
		17
		18	CVE: CVE-2017-7506
		19
		20	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		21	---
		22	server/reds.c \| 25 +++++++++++++++++++++++--
		23	1 file changed, 23 insertions(+), 2 deletions(-)
		24
		25	diff --git a/server/reds.c b/server/reds.c
		26	index 30d0652..701d5d8 100644
		27	--- a/server/reds.c
		28	+++ b/server/reds.c
		29	@@ -1086,19 +1086,34 @@ static void reds_client_monitors_config_cleanup(void)
		30	static void reds_on_main_agent_monitors_config(
		31	MainChannelClient mcc, void message, size_t size)
		32	{
		33	+ const unsigned int MAX_MONITORS = 256;
		34	+ const unsigned int MAX_MONITOR_CONFIG_SIZE =
		35	+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
		36	+
		37	VDAgentMessage *msg_header;
		38	VDAgentMonitorsConfig *monitors_config;
		39	RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
		40
		41	+ // limit size of message sent by the client as this can cause a DoS through
		42	+ // memory exhaustion, or potentially some integer overflows
		43	+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) {
		44	+ goto overflow;
		45	+ }
		46	cmc->buffer_size += size;
		47	cmc->buffer = realloc(cmc->buffer, cmc->buffer_size);
		48	spice_assert(cmc->buffer);
		49	cmc->mcc = mcc;
		50	memcpy(cmc->buffer + cmc->buffer_pos, message, size);
		51	cmc->buffer_pos += size;
		52	+ if (sizeof(VDAgentMessage) > cmc->buffer_size) {
		53	+ spice_debug("not enough data yet. %d", cmc->buffer_size);
		54	+ return;
		55	+ }
		56	msg_header = (VDAgentMessage *)cmc->buffer;
		57	- if (sizeof(VDAgentMessage) > cmc->buffer_size \|\|
		58	- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
		59	+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
		60	+ goto overflow;
		61	+ }
		62	+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
		63	spice_debug("not enough data yet. %d\n", cmc->buffer_size);
		64	return;
		65	}
		66	@@ -1106,6 +1121,12 @@ static void reds_on_main_agent_monitors_config(
		67	spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
		68	red_dispatcher_client_monitors_config(monitors_config);
		69	reds_client_monitors_config_cleanup();
		70	+ return;
		71	+
		72	+overflow:
		73	+ spice_warning("received invalid MonitorsConfig request from client, disconnecting");
		74	+ red_channel_client_disconnect(main_channel_client_get_base(mcc));
		75	+ reds_client_monitors_config_cleanup();
		76	}
		77
		78	void reds_on_main_agent_data(MainChannelClient mcc, void message, size_t size)
		79	--
		80	2.7.4
		81


diff --git a/recipes-support/spice/files/CVE-2017-7506-2.patch b/recipes-support/spice/files/CVE-2017-7506-2.patch new file mode 100644 index 0000000..a517b08 --- /dev/null +++ b/recipes-support/spice/files/CVE-2017-7506-2.patch
@@ -0,0 +1,37 @@
		1	From 6934f036240753a14514a71ede8bb44af2043f24 Mon Sep 17 00:00:00 2001
		2	From: Frediano Ziglio <fziglio@redhat.com>
		3	Date: Mon, 15 May 2017 15:57:28 +0100
		4	Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor
		5	configuration
		6
		7	Avoid VDAgentMessage::size integer overflows.
		8
		9	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
		10
		11	Upstream-Status: Backport
		12	[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=ec6229c79abe05d731953df5f7e9a05ec9f6df79]
		13
		14	CVE: CVE-2017-7506
		15
		16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		17	---
		18	server/reds.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/server/reds.c b/server/reds.c
		22	index 701d5d8..62b1164 100644
		23	--- a/server/reds.c
		24	+++ b/server/reds.c
		25	@@ -1117,6 +1117,9 @@ static void reds_on_main_agent_monitors_config(
		26	spice_debug("not enough data yet. %d\n", cmc->buffer_size);
		27	return;
		28	}
		29	+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
		30	+ goto overflow;
		31	+ }
		32	monitors_config = (VDAgentMonitorsConfig )(cmc->buffer + sizeof(msg_header));
		33	spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
		34	red_dispatcher_client_monitors_config(monitors_config);
		35	--
		36	2.7.4
		37


diff --git a/recipes-support/spice/files/CVE-2017-7506-3.patch b/recipes-support/spice/files/CVE-2017-7506-3.patch new file mode 100644 index 0000000..d55502f --- /dev/null +++ b/recipes-support/spice/files/CVE-2017-7506-3.patch
@@ -0,0 +1,54 @@
		1	From daedc2e2bb70f7cb0eafd65fd37fd73af12df770 Mon Sep 17 00:00:00 2001
		2	From: Frediano Ziglio <fziglio@redhat.com>
		3	Date: Mon, 15 May 2017 15:57:28 +0100
		4	Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
		5	configuration
		6
		7	It was also possible for a malicious client to set
		8	VDAgentMonitorsConfig::num_of_monitors to a number larger
		9	than the actual size of VDAgentMOnitorsConfig::monitors.
		10	This would lead to buffer overflows, which could allow the guest to
		11	read part of the host memory. This might cause write overflows in the
		12	host as well, but controlling the content of such buffers seems
		13	complicated.
		14
		15	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
		16
		17	Upstream-Status: Backport
		18	[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=a957a90baf2c62d31f3547e56bba7d0e812d2331]
		19
		20	CVE: CVE-2017-7506
		21
		22	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		23	---
		24	server/reds.c \| 7 +++++++
		25	1 file changed, 7 insertions(+)
		26
		27	diff --git a/server/reds.c b/server/reds.c
		28	index 62b1164..ee36dec 100644
		29	--- a/server/reds.c
		30	+++ b/server/reds.c
		31	@@ -1093,6 +1093,7 @@ static void reds_on_main_agent_monitors_config(
		32	VDAgentMessage *msg_header;
		33	VDAgentMonitorsConfig *monitors_config;
		34	RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
		35	+ uint32_t max_monitors;
		36
		37	// limit size of message sent by the client as this can cause a DoS through
		38	// memory exhaustion, or potentially some integer overflows
		39	@@ -1121,6 +1122,12 @@ static void reds_on_main_agent_monitors_config(
		40	goto overflow;
		41	}
		42	monitors_config = (VDAgentMonitorsConfig )(cmc->buffer + sizeof(msg_header));
		43	+ // limit the monitor number to avoid buffer overflows
		44	+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
		45	+ sizeof(VDAgentMonConfig);
		46	+ if (monitors_config->num_of_monitors > max_monitors) {
		47	+ goto overflow;
		48	+ }
		49	spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
		50	red_dispatcher_client_monitors_config(monitors_config);
		51	reds_client_monitors_config_cleanup();
		52	--
		53	2.7.4
		54


diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb index 04e7a25..c0fdd9c 100644 --- a/recipes-support/spice/spice_git.bb +++ b/recipes-support/spice/spice_git.bb
@@ -38,6 +38,9 @@ SRC_URI += " \
38	file://0001-red_parse_qxl-Fix-BITMAP_FMT_IS_RGB-defined-but-not-.patch \	38	file://0001-red_parse_qxl-Fix-BITMAP_FMT_IS_RGB-defined-but-not-.patch \
39	file://0001-Use-PRI-macros-in-printf-to-keep-compatibility-betwe.patch \	39	file://0001-Use-PRI-macros-in-printf-to-keep-compatibility-betwe.patch \
40	file://Fix-build-issues-with-gcc-7.patch \	40	file://Fix-build-issues-with-gcc-7.patch \
		41	file://CVE-2017-7506-1.patch \
		42	file://CVE-2017-7506-2.patch \
		43	file://CVE-2017-7506-3.patch \
41	"	44	"
42		45
43	S = "${WORKDIR}/git"	46	S = "${WORKDIR}/git"