From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49963)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1XPpTb-0003o0-Cp
	for qemu-devel@nongnu.org; Fri, 05 Sep 2014 05:06:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1XPpTV-0006Gn-2p
	for qemu-devel@nongnu.org; Fri, 05 Sep 2014 05:06:39 -0400
Message-ID: <54097D07.6020607@redhat.com>
Date: Fri, 05 Sep 2014 11:06:15 +0200
From: Laszlo Ersek <lersek@redhat.com>
MIME-Version: 1.0
References: <1409814273-11463-1-git-send-email-kraxel@redhat.com>	
	<1409814273-11463-4-git-send-email-kraxel@redhat.com>	
	<54096BC2.7070102@redhat.com>
	<1409907491.20018.5.camel@nilsson.home.kraxel.org>
In-Reply-To: <1409907491.20018.5.camel@nilsson.home.kraxel.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [CVE-2014-3615 PATCH v2 3/3] spice: make sure we
 don't overflow ssd->buf
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>, secalert@redhat.com, qemu-stable@nongnu.org, qemu-devel@nongnu.org, P J P <ppandit@redhat.com>, Anthony Liguori <aliguori@amazon.com>, spice-devel@lists.freedesktop.org

On 09/05/14 10:58, Gerd Hoffmann wrote:
>   Hi,
> 
>> I can't track this back far enough. I'd feel safer if you checked that
>> the multiplication can't overflow even in uint64_t.
> 
> Effectively it comes from the emulated graphics hardware (anything in
> hw/display/*).  The gfx emulation must make sure that the framebuffer
> fits into the video memory, which in turn pretty much implies that we
> can't overflow uint64_t.  I think even uint32_t can't overflow with the
> gfx hardware we are emulating today.
> 
>> (5) Instead, you really need to make sure that the very first
>> multiplication fits in a signed int:
> 
> Makes sense.  I think it is easier to just multiply in 64bit, then check
> the result is small enougth (new patch attached).

Okay, if you can guarantee that the product fits in uint64_t, then such
a check would suffice.

New patch has not been attached though :)

> 
>>>  /* display listener callbacks */
>>> @@ -495,7 +503,7 @@ static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)
>>>      info->num_memslots = NUM_MEMSLOTS;
>>>      info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
>>>      info->internal_groupslot_id = 0;
>>> -    info->qxl_ram_size = ssd->bufsize;
>>> +    info->qxl_ram_size = 16 * 1024 * 1024;
>>>      info->n_surfaces = ssd->num_surfaces;
>>>  }
> 
> spice-server doesn't do anything with it, other than passing to
> spice-client.  Not fully sure what spice-client uses this for, maybe as
> some kind of hint for resource management.  Maybe not at all.
> 
> It surely doesn't matter at all for ssd->buf size.

Okay, I'll trust you on this.

Thanks
Laszlo