commit 480759a0852832c0ac603f5a35c4d3ee6056e259 Author: zhuchunyi Date: Wed Nov 6 19:53:09 2019 +0800 update code diff --git a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch new file mode 100644 index 0000000..1f69086 --- /dev/null +++ b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch @@ -0,0 +1,98 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Thu, 29 Nov 2018 14:18:39 +0100 +Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check + +RedMemSlotInfo keeps an array of groups, and each group contains an +array of slots. Unfortunately, these checks are off by 1, they check +that the index is greater or equal to the number of elements in the +array, while these arrays are 0 based. The check should only check for +strictly greater than the number of elements. + +For the group array, this is not a big issue, as these memslot groups +are created by spice-server users (eg QEMU), and the group ids used to +index that array are also generated by the spice-server user, so it +should not be possible for the guest to set them to arbitrary values. + +The slot id is more problematic, as it's calculated from a QXLPHYSICAL +address, and such addresses are usually set by the guest QXL driver, so +the guest can set these to arbitrary values, including malicious values, +which are probably easy to build from the guest PCI configuration. + +This patch fixes the arrays bound check, and adds a test case for this. +This fixes CVE-2019-3813. + +Signed-off-by: Christophe Fergeau +--- + server/memslot.c | 4 ++-- + server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/server/memslot.c b/server/memslot.c +index ede77e7..ea6f981 100644 +--- a/server/memslot.c ++++ b/server/memslot.c +@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size + + MemSlot *slot; + +- if (group_id > info->num_memslots_groups) { ++ if (group_id >= info->num_memslots_groups) { + spice_critical("group_id too big"); + return NULL; + } + + slot_id = memslot_get_id(info, addr); +- if (slot_id > info->num_memslots) { ++ if (slot_id >= info->num_memslots) { + print_memslots(info); + spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); + return NULL; +diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c +index 47139a4..5b8d0f2 100644 +--- a/server/tests/test-qxl-parsing.c ++++ b/server/tests/test-qxl-parsing.c +@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) + g_free(from_physical(qxl->u.surface_create.data)); + } + ++static void test_memslot_invalid_group_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 0, 16, 1); ++} ++ ++static void test_memslot_invalid_slot_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0); ++} ++ ++static void test_memslot_invalid_addresses(void) ++{ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); ++ g_test_trap_assert_stderr("*group_id too big*"); ++ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); ++ g_test_trap_assert_stderr("*slot_id 1 too big*"); ++} ++ + static void test_no_issues(void) + { + RedMemSlotInfo mem_info; +@@ -262,6 +287,11 @@ int main(int argc, char *argv[]) + { + g_test_init(&argc, &argv, NULL); + ++ /* try to use invalid memslot group/slot */ ++ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); ++ + /* try to create a surface with no issues, should succeed */ + g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); + diff --git a/cfergeau-29AC6C82.keyring b/cfergeau-29AC6C82.keyring new file mode 100644 index 0000000..02d5c49 Binary files /dev/null and b/cfergeau-29AC6C82.keyring differ diff --git a/spice-0.14.1.tar.bz2 b/spice-0.14.1.tar.bz2 new file mode 100644 index 0000000..400e5f5 Binary files /dev/null and b/spice-0.14.1.tar.bz2 differ diff --git a/spice-0.14.1.tar.bz2.sign b/spice-0.14.1.tar.bz2.sign new file mode 100644 index 0000000..aa39b28 --- /dev/null +++ b/spice-0.14.1.tar.bz2.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlt9eDYACgkQqdjCFCms +bIL79A//Zkp2FfqgBCJMjAr9Tmh4q8nnUV7O6SfapETPWug6tquLXVrqMz3i5CnI +EnrxXGGZDI0GxSsncJrTkoHoZks6/Ov44hAEArDfYj3B/mhyv6w67kqdQdS9wSve +2kMYjfTLn0Om3R9Q49izT9kG67bdxfPbxwnlI6qvTszjsjU/iM8Cx+7Opyt0+Jf4 +pIql7kHGCgxMFWzOJKlmsznsreV3NLCBxDUlRuFOjsAxnP3IdM2Ea+L3NeHgEBW5 +gOJrGfR7xUyxTC/D9M93siw3xQFfdu6NBlWXpjSJ92krCWdkSmnEmpiJ4pBOoHc9 +ggst4uoPaN/vLFIxUXvekjJoNXsNxqAPMtPxnujgRqshXrdDlEL2kXzfGlypFyEv +hmTVMj9R7SJCj9eNIitaz0v1IDGb5nvOV9FTV4s4ils11+rjEHpworc/viWqKe47 +RE4Qy+TJ5sFW0rr/2HFjmQoq+cPTf2rrBJRBtB6sSlpTOQ9NekCrqXHL3HKbz1Vx +SYtwWte8SaaqbrpzHAg+adWxzUJFS6A4a5ErtRVOlqINOKZofUbKctWryx/vZEJY +moyBgnjnY2lWWjz132l4ZEWn99A0jCkA8mibEbSsqzzlrH8UnFsaYnUN85y6e5g8 +SlX1g3gdW1n2NV9Flf6iHs4tQ7azBqGP6GpzIlEbyLC0QTcfAHk= +=FapA +-----END PGP SIGNATURE----- diff --git a/spice.spec b/spice.spec new file mode 100644 index 0000000..cdc7690 --- /dev/null +++ b/spice.spec @@ -0,0 +1,77 @@ +Name: spice +Version: 0.14.1 +Release: 1 +Summary: Implements the SPICE protocol +Group: User Interface/Desktops +License: LGPLv2+ +URL: https://www.spice-space.org/ +Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 +Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign +Source2: cfergeau-29AC6C82.keyring + +Patch1: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch + +ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 + +BuildRequires: gcc pkgconfig glib2-devel spice-protocol opus-devel git-core gnupg2 +BuildRequires: pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel +BuildRequires: lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel + +%description +The SPICE package provides the SPICE server library and client. +These components are used to provide access to a remote machine's +display and devices. + +%package server +Summary: Implements the server side of the SPICE protocol +Obsoletes: spice-client < %{version}-%{release} + +%description server +This package contains the run-time libraries for any application that wishes +to be a SPICE server and is used to expose a remote machine's display and devices. + +%package server-devel +Summary: Header files and development files for %{name}-server +Requires: %{name}-server pkgconfig + +%description server-devel +The %{name}-server-devel package contains static libraries and header files for +developing applications that use %{name}-server. + +%package_help + +%prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} +%autosetup -n %{name}-%{version} -p1 + +%build +%define configure_client --disable-client +%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0 --disable-celt051 +%make_build WARN_CFLAGS='' V=1 + +%install +make DESTDIR=%{buildroot} install +%delete_la_and_a +install -d %{buildroot}%{_libexecdir} + +%ldconfig_scriptlets server + +%files server +%defattr(-,root,root) +%license COPYING +%{_libdir}/libspice-server.so.* + +%files server-devel +%defattr(-,root,root) +%{_includedir}/spice-server/*.h +%{_libdir}/pkgconfig/*.pc +%{_libdir}/libspice-server.so + +%files help +%defattr(-,root,root) +%doc README NEWS + +%changelog +* Fri Oct 11 2019 openEuler Buildteam - 0.14.0-6 +- Package init +