From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39811) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIXO2-0002h2-Jo for qemu-devel@nongnu.org; Mon, 11 Jan 2016 02:59:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aIXNy-0007CO-BD for qemu-devel@nongnu.org; Mon, 11 Jan 2016 02:59:34 -0500 Received: from proxmox.maurer-it.com ([94.136.31.133]:63300) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aIXNy-0007BR-3r for qemu-devel@nongnu.org; Mon, 11 Jan 2016 02:59:30 -0500 Date: Mon, 11 Jan 2016 08:59:14 +0100 From: Wolfgang Bumiller Message-ID: <20160111075914.GA28466@olga> References: <20160108091949.GA14724@olga> <20160108130251.GA17847@olga> <20160108143831.GA7632@olga> <1907860725.4.388b58e8-5b06-4844-be0c-df2778eb46fb.open-xchange@webmail.proxmox.com> <56920EC7.6090109@msgid.tls.msk.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56920EC7.6090109@msgid.tls.msk.ru> Subject: Re: [Qemu-devel] [PATCH] hmp: avoid redundant null termination of buffer List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Michael Tokarev , P J P Cc: qemu-devel@nongnu.org, Ling Liu On Sun, Jan 10, 2016 at 10:56:55AM +0300, Michael Tokarev wrote: > So, what's the status of this issue now? > (it is CVE-2015-8619 btw, maybe worth to mention this in the commit message) Seems we concluded it's best to keep keyname_len around and simply check it against the sizeof(keyname_buf). Here's a full new version as I haven't seen one yet. (With an adapted commit message and the CVE id added.) I did not include the proposed change to the pstrcpy() size parameter as it seemed more like a coding-style change and because the code also uses pstrcpy(keyname_buf, sizeof(keyname_buf), "less") instead of a memcpy() (after all, the buffer size is known and the contents are constant in that line). Patch: === >>From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Mon, 11 Jan 2016 08:21:25 +0100 Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Now checking the length against the buffer size before using it. Reported-by: Ling Liu Signed-off-by: Wolfgang Bumiller --- hmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hmp.c b/hmp.c index c2b2c16..0c7a04c 100644 --- a/hmp.c +++ b/hmp.c @@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) while (1) { separator = strchr(keys, '-'); keyname_len = separator ? separator - keys : strlen(keys); + if (keyname_len >= sizeof(keyname_buf)) + goto err_out; pstrcpy(keyname_buf, sizeof(keyname_buf), keys); /* Be compatible with old interface, convert user inputted "<" */ @@ -1800,7 +1802,7 @@ out: return; err_out: - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); + monitor_printf(mon, "invalid parameter: %s\n", keys); goto out; } -- 2.1.4