From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Thu, 22 Jun 2017 22:37:00 +0200 Subject: [Buildroot] [PATCH 4/4] spice: add post-0.12.8 upstream security fixes In-Reply-To: <20170621220744.18908-5-peter@korsgaard.com> References: <20170621220744.18908-1-peter@korsgaard.com> <20170621220744.18908-5-peter@korsgaard.com> Message-ID: <20170622203700.GG3054@scaer> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Peter, All, On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2016-9577 > > Frediano Ziglio of Red Hat discovered a buffer overflow > vulnerability in the main_channel_alloc_msg_rcv_buf function. An > authenticated attacker can take advantage of this flaw to cause a > denial of service (spice server crash), or possibly, execute > arbitrary code. > > CVE-2016-9578 > > Frediano Ziglio of Red Hat discovered that spice does not properly > validate incoming messages. An attacker able to connect to the > spice server could send crafted messages which would cause the > process to crash. > > Signed-off-by: Peter Korsgaard > --- > ...sible-DoS-attempts-during-protocol-handsh.patch | 60 ++++++++++++++++++++++ > ...nt-integer-overflows-in-capability-checks.patch | 43 ++++++++++++++++ > ...l-Prevent-overflow-reading-messages-from-.patch | 33 ++++++++++++ > 3 files changed, 136 insertions(+) > create mode 100644 package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch > create mode 100644 package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch > create mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch Although this is not strictly speaking a security fix, I woner if we should not backport 1d597f4b1 (Call migrate_end_complete() after falling back to switch-host) as it fixes a migration issue with qemu 2.6. Anyway: Reviewed-by: "Yann E. MORIN" Regards, Yann E. MORIN. > diff --git a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch > new file mode 100644 > index 0000000000..57a64d96b7 > --- /dev/null > +++ b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch > @@ -0,0 +1,60 @@ > +From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 > +From: Frediano Ziglio > +Date: Tue, 13 Dec 2016 14:39:48 +0000 > +Subject: [PATCH] Prevent possible DoS attempts during protocol handshake > + > +The limit for link message is specified using a 32 bit unsigned integer. > +This could cause possible DoS due to excessive memory allocations and > +some possible crashes. > +For instance a value >= 2^31 causes a spice_assert to be triggered in > +async_read_handler (reds-stream.c) due to an integer overflow at this > +line: > + > + int n = async->end - async->now; > + > +This could be easily triggered with a program like > + > + #!/usr/bin/env python > + > + import socket > + import time > + from struct import pack > + > + server = '127.0.0.1' > + port = 5900 > + > + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) > + s.connect((server, port)) > + data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) > + s.send(data) > + > + time.sleep(1) > + > +without requiring any authentication (the same can be done > +with TLS). > + > +[Peter: fixes CVE-2016-9578] > +Signed-off-by: Frediano Ziglio > +Acked-by: Christophe Fergeau > +Signed-off-by: Peter Korsgaard > +--- > + server/reds.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/server/reds.c b/server/reds.c > +index f40b65c1..86a33d53 100644 > +--- a/server/reds.c > ++++ b/server/reds.c > +@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) > + > + reds->peer_minor_version = header->minor_version; > + > +- if (header->size < sizeof(SpiceLinkMess)) { > ++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ > ++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { > + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); > + spice_warning("bad size %u", header->size); > + reds_link_free(link); > +-- > +2.11.0 > + > diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch > new file mode 100644 > index 0000000000..5bf9b89d17 > --- /dev/null > +++ b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch > @@ -0,0 +1,43 @@ > +From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 > +From: Frediano Ziglio > +Date: Tue, 13 Dec 2016 14:40:10 +0000 > +Subject: [PATCH] Prevent integer overflows in capability checks > + > +The limits for capabilities are specified using 32 bit unsigned integers. > +This could cause possible integer overflows causing buffer overflows. > +For instance the sum of num_common_caps and num_caps can be 0 avoiding > +additional checks. > +As the link message is now capped to 4096 and the capabilities are > +contained in the link message limit the capabilities to 1024 > +(capabilities are expressed in number of uint32_t items). > + > +[Peter: fixes CVE-2016-9578] > +Signed-off-by: Frediano Ziglio > +Acked-by: Christophe Fergeau > +Signed-off-by: Peter Korsgaard > +--- > + server/reds.c | 8 ++++++++ > + 1 file changed, 8 insertions(+) > + > +diff --git a/server/reds.c b/server/reds.c > +index 86a33d53..91504544 100644 > +--- a/server/reds.c > ++++ b/server/reds.c > +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) > + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); > + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); > + > ++ /* Prevent DoS. Currently we defined only 13 capabilities, > ++ * I expect 1024 to be valid for quite a lot time */ > ++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { > ++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); > ++ reds_link_free(link); > ++ return; > ++ } > ++ > + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; > + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); > + > +-- > +2.11.0 > + > diff --git a/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch > new file mode 100644 > index 0000000000..f602d5f3b1 > --- /dev/null > +++ b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch > @@ -0,0 +1,33 @@ > +From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 > +From: Frediano Ziglio > +Date: Tue, 29 Nov 2016 16:46:56 +0000 > +Subject: [PATCH] main-channel: Prevent overflow reading messages from client > + > +Caller is supposed the function return a buffer able to store > +size bytes. > + > +[Peter: fixes CVE-2016-9577] > +Signed-off-by: Frediano Ziglio > +Acked-by: Christophe Fergeau > +Signed-off-by: Peter Korsgaard > +--- > + server/main_channel.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/server/main_channel.c b/server/main_channel.c > +index 0ecc9df8..1fc39155 100644 > +--- a/server/main_channel.c > ++++ b/server/main_channel.c > +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, > + > + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { > + return reds_get_agent_data_buffer(mcc, size); > ++ } else if (size > sizeof(main_chan->recv_buf)) { > ++ /* message too large, caller will log a message and close the connection */ > ++ return NULL; > + } else { > + return main_chan->recv_buf; > + } > +-- > +2.11.0 > + > -- > 2.11.0 > -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'