From: "Daniel P. Berrange" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: qemu-devel@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
P J P <ppandit@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage
Date: Tue, 19 Dec 2017 15:23:04 +0000 [thread overview]
Message-ID: <20171219152304.GC3567@redhat.com> (raw)
In-Reply-To: <32374673.1188228.1513695479889.JavaMail.zimbra@redhat.com>
On Tue, Dec 19, 2017 at 09:57:59AM -0500, Marc-André Lureau wrote:
> Hi
>
> ----- Original Message -----
> > In the 2.11 release we fixed CVE-2017-15268, which allowed the VNC websockets
> > server to consume arbitrary memory when a slow client was connected. I have
> > since discovered that this same type of problem can be triggered in several
> > other ways in the regular (non-websockets) VNC server. This patch series
> > attempts to fix this problem by limiting framebuffer updates and other data
> > sent from server to client. The mitigating factor is that you need to have
> > successfully authenticated with the VNC server to trigger these new flaws.
> > This new more general flaw is assigned CVE-2017-15124 by the Red Hat security
> > team.
> >
> > The key patches containing the security fix are 9, 10, 11.
> >
> > Since this code is incredibly subtle & hard to understand though, the first
> > 8 patches do a bunch of independant cleanups/refactoring to make the security
> > fixes clearer. The last two patches are just some extra cleanup / help for
> > future maint.
>
> I already reviewed the series privately, and in general, I'd ack it.
>
> Did you manage to run some throttle tests? (I tried to trigger them manually
> by slowing artificially network or calling framebuffer_update_request() in
> gdb, I didn't manage yet :-/)
I used two approaches. First a MITM socket server that just throttles the
rate at which is reads from QEMU. Second, I wrote an intentionally malicious
VNC client to artificially exercise the codepaths & verify they are fixed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2017-12-19 15:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 19:12 [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 01/13] ui: remove 'sync' parametr from vnc_update_client Daniel P. Berrange
[not found] ` <20171219072629.4c23icd27ggxayc5@starbug-vm.ie.oracle.com>
2017-12-19 10:32 ` Daniel P. Berrange
2018-01-08 11:08 ` Gerd Hoffmann
2018-01-10 13:55 ` Daniel P. Berrange
2018-01-12 11:48 ` Gerd Hoffmann
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 02/13] ui: remove unreachable code in vnc_update_client Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 03/13] ui: remove redundant indentation in vnc_client_update Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 04/13] ui: avoid pointless VNC updates if framebuffer isn't dirty Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 05/13] ui: track how much decoded data we consumed when doing SASL encoding Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 06/13] ui: introduce enum to track VNC client framebuffer update request state Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 07/13] ui: correctly reset framebuffer update state after processing dirty regions Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 08/13] ui: refactor code for determining if an update should be sent to the client Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 09/13] ui: fix VNC client throttling when audio capture is active Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 10/13] ui: fix VNC client throttling when forced update is requested Daniel P. Berrange
2017-12-19 17:57 ` Marc-André Lureau
2017-12-19 18:07 ` Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 11/13] ui: place a hard cap on VNC server output buffer size Daniel P. Berrange
2017-12-20 11:32 ` Marc-André Lureau
2017-12-20 11:38 ` Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 12/13] ui: add trace events related to VNC client throttling Daniel P. Berrange
2017-12-18 19:12 ` [Qemu-devel] [PATCH v1 13/13] ui: mix misleading comments & return types of VNC I/O helper methods Daniel P. Berrange
2017-12-19 8:01 ` [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage Darren Kenny
2017-12-19 14:57 ` Marc-André Lureau
2017-12-19 15:23 ` Daniel P. Berrange [this message]
2017-12-20 11:57 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219152304.GC3567@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).