From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1BaohR-0007ad-GX for qemu-devel@nongnu.org; Thu, 17 Jun 2004 00:40:29 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1BaohP-0007Xp-JC for qemu-devel@nongnu.org; Thu, 17 Jun 2004 00:40:28 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1BaohP-0007XH-Ad for qemu-devel@nongnu.org; Thu, 17 Jun 2004 00:40:27 -0400 Received: from [206.72.67.39] (helo=claudius.sentinelchicken.org) by monty-python.gnu.org with smtp (Exim 4.34) id 1Baofh-0003qO-9I for qemu-devel@nongnu.org; Thu, 17 Jun 2004 00:38:41 -0400 Date: Wed, 16 Jun 2004 21:38:38 -0700 From: Tim Message-ID: <20040617043838.GA1938@sentinelchicken.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="mojUlQ0s9EVzWg2t" Content-Disposition: inline Subject: [Qemu-devel] [PATCH] Security house-cleaning Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline After noticing the string format vulnerability the other day, I decided to do a quick audit of calls to commonly mis-used string functions. I came across a few that looked a bit troublesome, in a security sense, so I have updated them to their safer, length-checking counterparts. I have to say, the core QEMU code is quite clean, and I feel that much more confident in using it for honeypot projects later on. ;-) The biggest culprit in terms of potential overflows, was the slirp code. There were some disturbing instances where strings were being pulled directly from the command line and tossed into a fixed-length buffer with no checks. =-X I can't say that I understand at all how slirp works, so I don't know if it is exploitable. I will continue to develop this patch, as I monitor and test the newest code on HEAD. I do not currently use many parts of the codebase in my testing though, so be sure to test the patch well before committing it, particularly the slirp changes. thanks, tim PS - a README is included for you Hetz, if you want to place it on your site. --mojUlQ0s9EVzWg2t Content-Type: application/octet-stream Content-Disposition: attachment; filename="security_20040616.tar.gz" Content-Transfer-Encoding: base64 H4sICAsc0UACA3NlY3VyaXR5XzIwMDQwNjE2LnRhcgDtWXtv28gR97/ip5j64IsUPUzqacu1 GyMxkKCJncZJLgc3IChyZW1Dkezu0rKa83fvzC4p60EptpNLUcALSEvuYzjzm+eSkvmp4Grq Nm27bXed7u7WD2+2bTd7nQ711Ezfbeb3eszBkXbTabeauM5p9XrtLehs/YSWSuUJgC0Rx2rT Olw2HG4W8lY47P9PmlzRf+Ipf9QI+EZp76t/VG57jf5R504713+r2euh/ju9VmsL7Ef9/+mt Xq/Dv9k4raMZCBap3UEY+18afonsoW53604Xmna/vd/v7DVm7gp1u2fbVrVaNZsDdrW6sU0b m91+q7Oy8dkzqO83az2o6v9nzyygNpD1o2EAh1B3Dm5H/HjiFo8OuBp7Cc6cfnj9+sCq05xU wk+mZU2KhyzyxqwG+VXlwKpmi6L1q2rg2M0WrgXzuN2nECcswl1eFHgigJcvgI+9SwZPdy34 hQ8DNgT3t1enraa1guc4jriKRSGi+5sRLdjaAafTb+33nV4hpuhLPUI16wlXZFpxH65iHoBi YuwmgkfK9cdByCMGZT+OpAJ/hE7wNBusWPDVSK43yBFCnYh4nKhyJUP5ltKwnO/KsJ2f2t6R 2zW4XXBLdBimckTk4AZh1rx3mo7m3fS5TdzMbRpxqVwEVUzr9YwYH0J5aQ6ODsGuoAj1UmYM egFy4Q7SYe2WVCymF0t7P5MUpdw87rGvBm17v0PylBYA+Ge0vTSYQ79A/XZNNuDyKGDXaNoL g5L/h+EY8oeWukzAgNhqGRB1n4NYhNLhIbw/effGfXP8yX3+5sU51MGBP/6AgnV1B02iJJhK RVSEOwFSrS5DAn8xjvm/U4W2H2ChZGTQpRXJbiPKzarjoo7S63oqmdhl4TCMvWDVh3v95jei 4mYq6M77/ZbT7xSHSMfuGnc2PWmzZDwVEk9KFriJDlIl0gaaFhMJKokJV00TRop7dYoqfvvu BP/d47MP740qdATMDDSjo0NfXIPtnQAddpCIMUVirQG9OipeTvYYL41WCqiAppLzjMAv7DAy 5FaFMLlzsmiWN+hGTqXvheGqblp9x76zbgqooG72UL399l6hbprt9l5tD6pZn3vaclMBqx8F KFBMviwnXhKWZ0O5ja7ZFA+Hy5twSMOp0VKUrBBAWiSYT1d1KDfROjK9YGVzyZQbxtFlBarQ pOhdmgE9234EzU63YgJ7ITu3z8GFZBPFNDoVkwG+SaMzE2Hm3kY8k33nr/N966AKKB6WkUzq Kwg4WQc8rZTLxk0qOF0Fg806Chq2w2zRwaqtyZCLZDdgg/TyIUa2Zrv2/DZSaBZaV8vukOOb Tvt9qYR/w1igsNqU/EFDxm7ErtUB4AjG2l9xTF9jgojrR9lsRYe+EimewM/9HsMoxtFt5ScX O/Izemu2BQf8wd/wn+oGJi/mh+tHytXDn/vbp2enJ9s6Phiy0QLdzP7oplL7/ocg/5MRhgoo R/BXcHqVzHyI/kVUrX5GDp7AE71Qjzk9GrJNTmw5+xpL3Rksce8CmmmwiiaO3RfNNEBBA8Az FQlbzvax6wTtEl0TLUpxLEJhFwtM274beg+g+nC41hj/mEv/4ba/vFubPp0LigNrq9usOTbq y/RGYfSjeHPtJrFQswovL75fHn88cc8xzZ1+JNWUlvSyI/s7QUMnJSy8lBup2CvHqXC9IBAI saFKvfQF06GiSlQ2quUBRMmLJSa16Kq8/eLV+dvXx79TntTUHZr/hWqVIgmy1Yd/iiTfQZwk SlItkaamZYgCPqSZG63Ptq3LetPl7qe9CHsdprUNYmb5fJCNagRg2btOhIhFH9g1868SiIew I2HooZ0HfbzEQrsGWlj4hj/dhQ7xgYQwf15d2FhRYoJhtK2M/5i3KzmnE8EVKzdzJWaFuX5S 1ckzdYZDr6tx0J3BQeKJGeuAhuSRsetDGCk8j5W147g0jWqgGUOKPADPaxHzVVnWZmmP1pGK MN/9mpGcCZ3dVyoU0+w8Ehj67JqrMnJJB9x/pXgKpIFGo4Gn2vqKBX7hYQjaQiiOL/CHtdwk WBpM8ehqjG+zMh5GliKcRl5uQP5Gh4eI4sPpmfvh9NUn9/zs+d9P3p8bfezptGA6o4+74ptG tUz/uoaZQzpFZaaRO/TGPJxSzVUwmXhqtFEf69CP4ogVAHUvqDfTuDOuxscJxj3Ej8J11hsg 0aDOmQI1YpAFF/2qZK7dNZgvlGo/IKwv0vvhAX6R/B1C/Sb5vifo30PO7wn/C21NIphrJhLu 2/pUa7qlg9PCDZrRWRwnaIwmPtewWFdPJB7/0ZLJuOjsBpPRdNm6FnBdn0bCtWnkzuDdhVrR qWNbyNF2YV6Za9/MLnPND2PJylj+ZVfO7KppIvynT58IpjUlHtberkwH4uFlXhEFXep1nH7L KSz1ei1dGpguO+XoIPw0UQKfcJhHBhovYeV6kF3Smoimm+aNhm65njFpo8VsizC+5Hi0o/QC 9B5SFwfzxZBZmCmUbiqF28wjsc5RYt4zsjp8qL2jknOWvW6aMdi65b/Em/ow4Qr/CrcO3AlS xAIe/w8yOPZr+wQHdTkcmbS46IJ/JopPdp/M0dRs6Rmq39fVwwv40GswHd7Q/nBzViIuQmPW 5K8R8KayuGOuUi2iTS8WD+//gOVtc7XkkqwIwsHt8EAw78uBtfXYfsD3v3cnxy/enPzg778b vv/ZTtdp5t//Or0Off9rd7vtx+9/P6O9H3EJ+pMvYOWrPB5h/uLXDP9jAfROFNNtDEmMqV1x vJ1CGklvyCgb8ejSGnsRT9LQUzyOYJhGPl3IBsArBUjaC8cxfV9igmhj0vaonh4zSpWYwTFU pklAL4Esw0Ruj3CVhhET3oCHXHFGBM9wvaATY3SJ7I29KXhXSBYfqlLBrNUNWjZcIok187xM 1LH3BUnkpFA+nLKGcRjGE5RJfwiUoNllYPg3yRKefzyHsic1tTjwppW+ZWUfPq3Z5zqr6KW/ VfS22Vp4O2jNvy+xlrOqZR1HU4gFx/TkhaitgOUqYwFMuBpphmfqxAvEiw2mIFjIPImLMPLG lkYhHYTchyAe425E6hjrqYAJfoVqvMJprPNIiyRm4XNqFlmHoSQSLDL00iD20zGipG2hhodn Bh4ygyrCyX+cvPmAY1Ggx0mVDGkwKxFoWr5C0sgpUfTjZIpCjlSmMi5QAJngGmLNS9UoFrJh Wb/pV1w+UZugRhSqNCKdoW5Jh8a4MhVj3tbWiKxKPgiZsUMCKzO7CZ2NdBrR1kkyXiIuH5DE FEtgiCcRCC6/4NhbDSbypA8vXjS1ZOr7TMpdqvtSEi7uW4qP4evL39++PDm90ZUSfD1+f4Pm jV4UsdAfcZ/4/friDEdjcdl4zF6P7bE9tp/c/gvfHeqFACgAAA== --mojUlQ0s9EVzWg2t--