1 files changed, 54 insertions, 0 deletions
diff --git a/recipes-support/spice/files/CVE-2017-7506-3.patch b/recipes-support/spice/files/CVE-2017-7506-3.patch
new file mode 100644
index 0000000..d55502f
--- /dev/null
+++ b/recipes-support/spice/files/CVE-2017-7506-3.patch
@@ -0,0 +1,54 @@
+From daedc2e2bb70f7cb0eafd65fd37fd73af12df770 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
+ configuration
+It was also possible for a malicious client to set
+VDAgentMonitorsConfig::num_of_monitors to a number larger
+than the actual size of VDAgentMOnitorsConfig::monitors.
+This would lead to buffer overflows, which could allow the guest to
+read part of the host memory. This might cause write overflows in the
+host as well, but controlling the content of such buffers seems
+complicated.
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Upstream-Status: Backport
+[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=a957a90baf2c62d31f3547e56bba7d0e812d2331]
+CVE: CVE-2017-7506
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ server/reds.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/server/reds.c b/server/reds.c
+index 62b1164..ee36dec 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -1093,6 +1093,7 @@ static void reds_on_main_agent_monitors_config(
+     VDAgentMessage *msg_header;
+     VDAgentMonitorsConfig *monitors_config;
+     RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+    uint32_t max_monitors;
+ 
+     // limit size of message sent by the client as this can cause a DoS through
+     // memory exhaustion, or potentially some integer overflows
+@@ -1121,6 +1122,12 @@ static void reds_on_main_agent_monitors_config(
+         goto overflow;
+     }
+     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+    // limit the monitor number to avoid buffer overflows
+    max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
+                   sizeof(VDAgentMonConfig);
+    if (monitors_config->num_of_monitors > max_monitors) {
+        goto overflow;
+    }
+     spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+     reds_client_monitors_config_cleanup();
+-- 
+2.7.4

diff --git a/recipes-support/spice/files/CVE-2017-7506-3.patch b/recipes-support/spice/files/CVE-2017-7506-3.patch new file mode 100644 index 0000000..d55502f --- /dev/null +++ b/recipes-support/spice/files/CVE-2017-7506-3.patch
@@ -0,0 +1,54 @@
	1	From daedc2e2bb70f7cb0eafd65fd37fd73af12df770 Mon Sep 17 00:00:00 2001
	2	From: Frediano Ziglio <fziglio@redhat.com>
	3	Date: Mon, 15 May 2017 15:57:28 +0100
	4	Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
	5	configuration
	6
	7	It was also possible for a malicious client to set
	8	VDAgentMonitorsConfig::num_of_monitors to a number larger
	9	than the actual size of VDAgentMOnitorsConfig::monitors.
	10	This would lead to buffer overflows, which could allow the guest to
	11	read part of the host memory. This might cause write overflows in the
	12	host as well, but controlling the content of such buffers seems
	13	complicated.
	14
	15	Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
	16
	17	Upstream-Status: Backport
	18	[https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=a957a90baf2c62d31f3547e56bba7d0e812d2331]
	19
	20	CVE: CVE-2017-7506
	21
	22	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	23	---
	24	server/reds.c \| 7 +++++++
	25	1 file changed, 7 insertions(+)
	26
	27	diff --git a/server/reds.c b/server/reds.c
	28	index 62b1164..ee36dec 100644
	29	--- a/server/reds.c
	30	+++ b/server/reds.c
	31	@@ -1093,6 +1093,7 @@ static void reds_on_main_agent_monitors_config(
	32	VDAgentMessage *msg_header;
	33	VDAgentMonitorsConfig *monitors_config;
	34	RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
	35	+ uint32_t max_monitors;
	36
	37	// limit size of message sent by the client as this can cause a DoS through
	38	// memory exhaustion, or potentially some integer overflows
	39	@@ -1121,6 +1122,12 @@ static void reds_on_main_agent_monitors_config(
	40	goto overflow;
	41	}
	42	monitors_config = (VDAgentMonitorsConfig )(cmc->buffer + sizeof(msg_header));
	43	+ // limit the monitor number to avoid buffer overflows
	44	+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
	45	+ sizeof(VDAgentMonConfig);
	46	+ if (monitors_config->num_of_monitors > max_monitors) {
	47	+ goto overflow;
	48	+ }
	49	spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors);
	50	red_dispatcher_client_monitors_config(monitors_config);
	51	reds_client_monitors_config_cleanup();
	52	--
	53	2.7.4
	54