[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c
From: Peter Korsgaard <peter () korsgaard ! com>
Date: 2019-01-28 22:25:06
Message-ID: 87munkbet9.fsf () dell ! be ! 48ers ! dk
[Download RAW message or body]
>>>>> "Scott" == Scott Gayou <sgayou@redhat.com> writes:
> Hello,
> spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read
> due to an off-by-one error in memslot_get_virt. This may lead to a
> denial-of-service, or, in the worst case, code-execution by unauthenticated
> attackers.
> The attached patch fixes the issue in spice and is planned to be included
> in forthcoming release spice 0.14.2.
> This issue was reported by Christophe Fergeau (Red Hat).
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1665371
> Thank you.
> --
> Scott Gayou / Red Had Product Security
> From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001
> From: Christophe Fergeau <cfergeau@redhat.com>
> Date: Thu, 29 Nov 2018 14:18:39 +0100
> Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary
> check
> RedMemSlotInfo keeps an array of groups, and each group contains an
> array of slots. Unfortunately, these checks are off by 1, they check
> that the index is greater or equal to the number of elements in the
> array, while these arrays are 0 based. The check should only check for
> strictly greater than the number of elements.
> For the group array, this is not a big issue, as these memslot groups
> are created by spice-server users (eg QEMU), and the group ids used to
> index that array are also generated by the spice-server user, so it
> should not be possible for the guest to set them to arbitrary values.
> The slot id is more problematic, as it's calculated from a QXLPHYSICAL
> address, and such addresses are usually set by the guest QXL driver, so
> the guest can set these to arbitrary values, including malicious values,
> which are probably easy to build from the guest PCI configuration.
> This patch fixes the arrays bound check, and adds a test case for this.
> Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
> ---
> server/memslot.c | 4 ++--
> server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
> 2 files changed, 32 insertions(+), 2 deletions(-)
> diff --git a/server/memslot.c b/server/memslot.c
> index b27324efb..fb3d5cfd5 100644
> --- a/server/memslot.c
> +++ b/server/memslot.c
> @@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
> MemSlot *slot;
> - if (group_id > info->num_memslots_groups) {
> + if (group_id >= info->num_memslots_groups) {
> g_critical("group_id too big");
What version is this patch against? I don't see memslot.c using
g_critical() neither on the 0.14 branch (which doesn't have 0.14.1) or
master?
https://gitlab.freedesktop.org/spice/spice/blob/master/server/memslot.c#L97
--
Bye, Peter Korsgaard
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic