From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"P J P" <ppandit@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage
Date: Mon, 18 Dec 2017 19:12:15 +0000 [thread overview]
Message-ID: <20171218191228.31018-1-berrange@redhat.com> (raw)
In the 2.11 release we fixed CVE-2017-15268, which allowed the VNC websockets
server to consume arbitrary memory when a slow client was connected. I have
since discovered that this same type of problem can be triggered in several
other ways in the regular (non-websockets) VNC server. This patch series
attempts to fix this problem by limiting framebuffer updates and other data
sent from server to client. The mitigating factor is that you need to have
successfully authenticated with the VNC server to trigger these new flaws.
This new more general flaw is assigned CVE-2017-15124 by the Red Hat security
team.
The key patches containing the security fix are 9, 10, 11.
Since this code is incredibly subtle & hard to understand though, the first
8 patches do a bunch of independant cleanups/refactoring to make the security
fixes clearer. The last two patches are just some extra cleanup / help for
future maint.
Daniel P. Berrange (13):
ui: remove 'sync' parametr from vnc_update_client
ui: remove unreachable code in vnc_update_client
ui: remove redundant indentation in vnc_client_update
ui: avoid pointless VNC updates if framebuffer isn't dirty
ui: track how much decoded data we consumed when doing SASL encoding
ui: introduce enum to track VNC client framebuffer update request
state
ui: correctly reset framebuffer update state after processing dirty
regions
ui: refactor code for determining if an update should be sent to the
client
ui: fix VNC client throttling when audio capture is active
ui: fix VNC client throttling when forced update is requested
ui: place a hard cap on VNC server output buffer size
ui: add trace events related to VNC client throttling
ui: mix misleading comments & return types of VNC I/O helper methods
ui/trace-events | 7 ++
ui/vnc-auth-sasl.c | 16 ++-
ui/vnc-auth-sasl.h | 5 +-
ui/vnc-jobs.c | 5 +
ui/vnc.c | 320 ++++++++++++++++++++++++++++++++++++++---------------
ui/vnc.h | 28 ++++-
6 files changed, 277 insertions(+), 104 deletions(-)
--
2.14.3
next reply other threads:[~2017-12-18 19:13 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 19:12 Daniel P. Berrange [this message]
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 01/13] ui: remove 'sync' parametr from vnc_update_client Daniel P. Berrange
[not found] ` <20171219072629.4c23icd27ggxayc5@starbug-vm.ie.oracle.com>
2017-12-19 10:32 ` Daniel P. Berrange
2018-01-08 11:08 ` Gerd Hoffmann
2018-01-10 13:55 ` Daniel P. Berrange
2018-01-12 11:48 ` Gerd Hoffmann
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 02/13] ui: remove unreachable code in vnc_update_client Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 03/13] ui: remove redundant indentation in vnc_client_update Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 04/13] ui: avoid pointless VNC updates if framebuffer isn't dirty Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 05/13] ui: track how much decoded data we consumed when doing SASL encoding Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 06/13] ui: introduce enum to track VNC client framebuffer update request state Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 07/13] ui: correctly reset framebuffer update state after processing dirty regions Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 08/13] ui: refactor code for determining if an update should be sent to the client Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 09/13] ui: fix VNC client throttling when audio capture is active Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 10/13] ui: fix VNC client throttling when forced update is requested Daniel P. Berrange
2017-12-19 17:57 ` Marc-André Lureau
2017-12-19 18:07 ` Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 11/13] ui: place a hard cap on VNC server output buffer size Daniel P. Berrange
2017-12-20 11:32 ` Marc-André Lureau
2017-12-20 11:38 ` Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 12/13] ui: add trace events related to VNC client throttling Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 13/13] ui: mix misleading comments & return types of VNC I/O helper methods Daniel P. Berrange
2017-12-19 8:01 ` [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage Darren Kenny
2017-12-19 14:57 ` Marc-André Lureau
2017-12-19 15:23 ` Daniel P. Berrange
2017-12-20 11:57 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171218191228.31018-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).