packages/spice
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 update to 0.14.3

Browse Source 
Merge pull request !2 from 靳智敏/master
This commit is contained in:
openeuler-ci-bot 2020-08-04 17:40:05 +08:00 committed by Gitee
commit 1287b0681f
8 changed files with 7 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
View File

@ -1,98 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Thu, 29 Nov 2018 14:18:39 +0100
Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.
For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.
The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.
This patch fixes the arrays bound check, and adds a test case for this.
This fixes CVE-2019-3813.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/memslot.c | 4 ++--
server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/server/memslot.c b/server/memslot.c
index ede77e7..ea6f981 100644
--- a/server/memslot.c
+++ b/server/memslot.c
@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
MemSlot *slot;
- if (group_id > info->num_memslots_groups) {
+ if (group_id >= info->num_memslots_groups) {
spice_critical("group_id too big");
return NULL;
}
slot_id = memslot_get_id(info, addr);
- if (slot_id > info->num_memslots) {
+ if (slot_id >= info->num_memslots) {
print_memslots(info);
spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
return NULL;
diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
index 47139a4..5b8d0f2 100644
--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
g_free(from_physical(qxl->u.surface_create.data));
}
+static void test_memslot_invalid_group_id(void)
+{
+ RedMemSlotInfo mem_info;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 0, 16, 1);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+ RedMemSlotInfo mem_info;
+ init_meminfo(&mem_info);
+
+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+ g_test_trap_assert_stderr("*group_id too big*");
+
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+ g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
static void test_no_issues(void)
{
RedMemSlotInfo mem_info;
@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
{
g_test_init(&argc, &argv, NULL);
+ /* try to use invalid memslot group/slot */
+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
/* try to create a surface with no issues, should succeed */
g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);

BIN
cfergeau-29AC6C82.keyring
View File

Binary file not shown.

BIN
spice-0.14.1.tar.bz2
View File

Binary file not shown.

16
spice-0.14.1.tar.bz2.sign
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlt9eDYACgkQqdjCFCms
bIL79A//Zkp2FfqgBCJMjAr9Tmh4q8nnUV7O6SfapETPWug6tquLXVrqMz3i5CnI
EnrxXGGZDI0GxSsncJrTkoHoZks6/Ov44hAEArDfYj3B/mhyv6w67kqdQdS9wSve
2kMYjfTLn0Om3R9Q49izT9kG67bdxfPbxwnlI6qvTszjsjU/iM8Cx+7Opyt0+Jf4
pIql7kHGCgxMFWzOJKlmsznsreV3NLCBxDUlRuFOjsAxnP3IdM2Ea+L3NeHgEBW5
gOJrGfR7xUyxTC/D9M93siw3xQFfdu6NBlWXpjSJ92krCWdkSmnEmpiJ4pBOoHc9
ggst4uoPaN/vLFIxUXvekjJoNXsNxqAPMtPxnujgRqshXrdDlEL2kXzfGlypFyEv
hmTVMj9R7SJCj9eNIitaz0v1IDGb5nvOV9FTV4s4ils11+rjEHpworc/viWqKe47
RE4Qy+TJ5sFW0rr/2HFjmQoq+cPTf2rrBJRBtB6sSlpTOQ9NekCrqXHL3HKbz1Vx
SYtwWte8SaaqbrpzHAg+adWxzUJFS6A4a5ErtRVOlqINOKZofUbKctWryx/vZEJY
moyBgnjnY2lWWjz132l4ZEWn99A0jCkA8mibEbSsqzzlrH8UnFsaYnUN85y6e5g8
SlX1g3gdW1n2NV9Flf6iHs4tQ7azBqGP6GpzIlEbyLC0QTcfAHk=
=FapA
-----END PGP SIGNATURE-----

BIN
spice-0.14.3.tar.bz2 Normal file
View File

Binary file not shown.

BIN
spice-0.14.3.tar.bz2.sign Normal file
View File

Binary file not shown.

13
spice.spec
View File

@ -1,5 +1,5 @@
Name: spice Name: spice
Version: 0.14.1 Version: 0.14.3
Release: 1 Release: 1
Summary: Implements the SPICE protocol Summary: Implements the SPICE protocol
Group: User Interface/Desktops Group: User Interface/Desktops
@ -7,13 +7,11 @@ License: LGPLv2+
URL: https://www.spice-space.org/ URL: https://www.spice-space.org/
Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
Source2: cfergeau-29AC6C82.keyring Source2: victortoso-E37A484F.keyring
Patch1: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 ExclusiveArch: %{ix86} x86_64 %{arm} aarch64
BuildRequires: gcc pkgconfig glib2-devel spice-protocol opus-devel git-core gnupg2 BuildRequires: gcc pkgconfig glib2-devel spice-protocol >= 0.14.0 opus-devel git-core gnupg2
BuildRequires: pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel BuildRequires: pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel
BuildRequires: lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel BuildRequires: lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel
@ -69,9 +67,12 @@ install -d %{buildroot}%{_libexecdir}
%files help %files help
%defattr(-,root,root) %defattr(-,root,root)
%doc README NEWS %doc README
%changelog %changelog
* Tues Oct 4 2020 jinzhimin<jinzhimin2@huawei.com> - 0.14.3-1
- update to 0.14.3
* Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.14.0-6 * Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.14.0-6
- Package init - Package init

BIN
victortoso-E37A484F.keyring Normal file
View File

Binary file not shown.