spice-vdagent/backport-0002-CVE-2020-25650.patch

From 9d35d8a86fb310fc1f29d428c0a96995948d2357 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Fri, 2 Oct 2020 12:27:59 +0100
Subject: [PATCH] Avoids uncontrolled "active_xfers" allocations

Limit the number of active file transfers possibly causing DoSes
consuming memory in "active_xfers".

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>

---
 src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -46,6 +46,14 @@
 
 #define DEFAULT_UINPUT_DEVICE "/dev/uinput"
 
+// Maximum number of transfers active at any time.
+// Avoid DoS from client.
+// As each transfer could likely end up taking a file descriptor
+// it is good to have a limit less than the number of file descriptors
+// in the process (by default 1024). The daemon do not open file
+// descriptors for the transfers but the agents do.
+#define MAX_ACTIVE_TRANSFERS 128
+
 struct agent_data {
     char *session;
     int width;
@@ -372,6 +380,12 @@ static void do_client_file_xfer(VirtioPo
                "Cancelling client file-xfer request %u",
                s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
             return;
+        } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {
+            send_file_xfer_status(vport,
+               "Too many transfers ongoing. "
+               "Cancelling client file-xfer request %u",
+               s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0);
+            return;
         }
         msg_type = VDAGENTD_FILE_XFER_START;
         id = s->id;
-- 
GitLab
fix CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653 2021-02-22 20:38:15 +08:00			`From 9d35d8a86fb310fc1f29d428c0a96995948d2357 Mon Sep 17 00:00:00 2001`
			`From: Frediano Ziglio <freddy77@gmail.com>`
			`Date: Fri, 2 Oct 2020 12:27:59 +0100`
			`Subject: [PATCH] Avoids uncontrolled "active_xfers" allocations`

			`Limit the number of active file transfers possibly causing DoSes`
			`consuming memory in "active_xfers".`

			`This issue was reported by SUSE security team.`

			`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
			`Acked-by: Uri Lublin <uril@redhat.com>`

			`---`
			`src/vdagentd/vdagentd.c \| 23 +++++++++++++++++++++++`
			`1 file changed, 23 insertions(+)`

			`--- a/src/vdagentd/vdagentd.c`
			`+++ b/src/vdagentd/vdagentd.c`
			`@@ -46,6 +46,14 @@`

			`#define DEFAULT_UINPUT_DEVICE "/dev/uinput"`

			`+// Maximum number of transfers active at any time.`
			`+// Avoid DoS from client.`
			`+// As each transfer could likely end up taking a file descriptor`
			`+// it is good to have a limit less than the number of file descriptors`
			`+// in the process (by default 1024). The daemon do not open file`
			`+// descriptors for the transfers but the agents do.`
			`+#define MAX_ACTIVE_TRANSFERS 128`
			`+`
			`struct agent_data {`
			`char *session;`
			`int width;`
			`@@ -372,6 +380,12 @@ static void do_client_file_xfer(VirtioPo`
			`"Cancelling client file-xfer request %u",`
			`s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);`
			`return;`
			`+ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) {`
			`+ send_file_xfer_status(vport,`
			`+ "Too many transfers ongoing. "`
			`+ "Cancelling client file-xfer request %u",`
			`+ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0);`
			`+ return;`
			`}`
			`msg_type = VDAGENTD_FILE_XFER_START;`
			`id = s->id;`
			`--`
			`GitLab`