From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Feifan Qian" <bea1e@proton.me>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Heechan Kang" <gganji11@naver.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PATCH] ui: fix validation of VNC extended clipboard data length
Date: Tue, 12 May 2026 10:55:43 +0100 [thread overview]
Message-ID: <20260512095543.459949-1-berrange@redhat.com> (raw)
From: Heechan Kang <gganji11@naver.com>
QEMU's VNC extended clipboard handler inflates a client-controlled
compressed clipboard payload. The code checks the declared text size
against the total inflated buffer size:
if (tsize < size)
but then copies from:
tbuf = buf + 4;
qemu_clipboard_set_data(..., tsize, tbuf, true);
The correct bound is the remaining data length after the 4-byte length
field, not the total inflated buffer length.
As a result, a VNC client can make QEMU copy up to 3 bytes past the end
of the inflated heap buffer. With a second VNC client, those copied
bytes are observable through the normal VNC extended clipboard PROVIDE
path.
Fixes: CVE-2026-8343
Reported-by: Heechan Kang <gganji11@naver.com>
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Heechan Kang <gganji11@naver.com>
[DB: added #include and 'return' statements]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
ui/vnc-clipboard.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 124b6fbd9c..fa05d86f42 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -23,6 +23,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "vnc.h"
#include "vnc-jobs.h"
@@ -282,10 +283,16 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, uint32_t flags, uint8_t
buf && size >= 4) {
uint32_t tsize = read_u32(buf, 0);
uint8_t *tbuf = buf + 4;
- if (tsize < size) {
+ if (tsize <= size - 4) {
qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
QEMU_CLIPBOARD_TYPE_TEXT,
tsize, tbuf, true);
+ } else {
+ error_report("vnc: malformed extended clipboard payload "
+ "with text length %u exceeding available %u",
+ tsize, size - 4);
+ vnc_client_error(vs);
+ return;
}
}
}
--
2.54.0
next reply other threads:[~2026-05-12 9:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 9:55 Daniel P. Berrangé [this message]
2026-05-12 10:35 ` [PATCH] ui: fix validation of VNC extended clipboard data length Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512095543.459949-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=bea1e@proton.me \
--cc=gganji11@naver.com \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox