Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Michael Tokarev <mjt@tls.msk.ru>, P J P <ppandit@redhat.com>
Cc: qemu-devel@nongnu.org, Ling Liu <liuling-it@360.cn>
Subject: Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer
Date: Mon, 11 Jan 2016 08:59:14 +0100	[thread overview]
Message-ID: <20160111075914.GA28466@olga> (raw)
In-Reply-To: <56920EC7.6090109@msgid.tls.msk.ru>

On Sun, Jan 10, 2016 at 10:56:55AM +0300, Michael Tokarev wrote:
> So, what's the status of this issue now?
> (it is CVE-2015-8619 btw, maybe worth to mention this in the commit message)

Seems we concluded it's best to keep keyname_len around and simply check
it against the sizeof(keyname_buf).

Here's a full new version as I haven't seen one yet. (With an adapted
commit message and the CVE id added.)

I did not include the proposed change to the pstrcpy() size parameter
as it seemed more like a coding-style change and because the code also
uses
  pstrcpy(keyname_buf, sizeof(keyname_buf), "less")
instead of a memcpy() (after all, the buffer size is known and the
contents are constant in that line).

Patch:

===
>From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 11 Jan 2016 08:21:25 +0100
Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.

Now checking the length against the buffer size before using
it.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 hmp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hmp.c b/hmp.c
index c2b2c16..0c7a04c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
     while (1) {
         separator = strchr(keys, '-');
         keyname_len = separator ? separator - keys : strlen(keys);
+        if (keyname_len >= sizeof(keyname_buf))
+            goto err_out;
         pstrcpy(keyname_buf, sizeof(keyname_buf), keys);

         /* Be compatible with old interface, convert user inputted "<" */
@@ -1800,7 +1802,7 @@ out:
     return;

 err_out:
-    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+    monitor_printf(mon, "invalid parameter: %s\n", keys);
     goto out;
 }

-- 
2.1.4

next prev parent reply	other threads:[~2016-01-11  7:59 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-17 12:40 [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer P J P
2015-12-18  3:46 ` 刘令
2015-12-18  4:34   ` P J P
2015-12-22 18:48 ` Luiz Capitulino
2016-01-12  8:41   ` Markus Armbruster
2016-01-08  9:19 ` Wolfgang Bumiller
2016-01-08 12:19   ` P J P
2016-01-08 13:02     ` Wolfgang Bumiller
2016-01-08 13:59       ` P J P
2016-01-08 14:38         ` Wolfgang Bumiller
2016-01-08 17:32           ` P J P
2016-01-09  9:31             ` Wolfgang Bumiller
2016-01-09 13:03               ` P J P
2016-01-10  7:56                 ` Michael Tokarev
2016-01-11  7:00                   ` P J P
2016-01-11  7:59                   ` Wolfgang Bumiller [this message]
2016-01-11  8:22                     ` P J P
2016-01-12  8:45                     ` Markus Armbruster
2016-01-12  9:27                       ` Wolfgang Bumiller
2016-01-12 16:00                         ` Markus Armbruster
2016-01-12 16:25                           ` Wolfgang Bumiller
2016-01-12 16:52                             ` Markus Armbruster
2016-01-13  8:09                               ` Wolfgang Bumiller
2016-01-18 13:02                                 ` Markus Armbruster
2016-01-18 13:38                                   ` Wolfgang Bumiller
2016-01-18 14:23                                     ` Markus Armbruster
2016-01-26  9:36                                       ` Michael Tokarev
2016-01-28 10:52                                         ` Michael Tokarev
2016-01-28 14:45                                           ` Markus Armbruster

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c2b2c16 dfblob:0c7a04c )
 OR (
bs:"hmp: fix sendkey out of bounds write (CVE-2015-8619)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160111075914.GA28466@olga \
    --to=w.bumiller@proxmox.com \
    --cc=liuling-it@360.cn \
    --cc=mjt@tls.msk.ru \
    --cc=ppandit@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.