update code

2019-11-06 19:53:09 +08:00 · 2019-11-06 19:53:09 +08:00 · 480759a085
commit 480759a085
5 changed files with 191 additions and 0 deletions
--- a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+++ b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Thu, 29 Nov 2018 14:18:39 +0100
+Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
+
+RedMemSlotInfo keeps an array of groups, and each group contains an
+array of slots. Unfortunately, these checks are off by 1, they check
+that the index is greater or equal to the number of elements in the
+array, while these arrays are 0 based. The check should only check for
+strictly greater than the number of elements.
+
+For the group array, this is not a big issue, as these memslot groups
+are created by spice-server users (eg QEMU), and the group ids used to
+index that array are also generated by the spice-server user, so it
+should not be possible for the guest to set them to arbitrary values.
+
+The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+address, and such addresses are usually set by the guest QXL driver, so
+the guest can set these to arbitrary values, including malicious values,
+which are probably easy to build from the guest PCI configuration.
+
+This patch fixes the arrays bound check, and adds a test case for this.
+This fixes CVE-2019-3813.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+---
+ server/memslot.c                |  4 ++--
+ server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/server/memslot.c b/server/memslot.c
+index ede77e7..ea6f981 100644
+--- a/server/memslot.c
+++ b/server/memslot.c
+@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
+ 
+     MemSlot *slot;
+ 
+-    if (group_id > info->num_memslots_groups) {
+    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         return NULL;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
+    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         return NULL;
+diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
+index 47139a4..5b8d0f2 100644
+--- a/server/tests/test-qxl-parsing.c
+++ b/server/tests/test-qxl-parsing.c
+@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
+     g_free(from_physical(qxl->u.surface_create.data));
+ }
+ 
+static void test_memslot_invalid_group_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 0, 16, 1);
+}
+
+static void test_memslot_invalid_slot_id(void)
+{
+    RedMemSlotInfo mem_info;
+    init_meminfo(&mem_info);
+
+    memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
+}
+
+static void test_memslot_invalid_addresses(void)
+{
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
+    g_test_trap_assert_stderr("*group_id too big*");
+
+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
+    g_test_trap_assert_stderr("*slot_id 1 too big*");
+}
+
+ static void test_no_issues(void)
+ {
+     RedMemSlotInfo mem_info;
+@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
+ {
+     g_test_init(&argc, &argv, NULL);
+ 
+    /* try to use invalid memslot group/slot */
+    g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
+
+     /* try to create a surface with no issues, should succeed */
+     g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
+ 
--- a/cfergeau-29AC6C82.keyring
+++ b/cfergeau-29AC6C82.keyring
--- a/spice-0.14.1.tar.bz2
+++ b/spice-0.14.1.tar.bz2
--- a/spice-0.14.1.tar.bz2.sign
+++ b/spice-0.14.1.tar.bz2.sign
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlt9eDYACgkQqdjCFCms
+bIL79A//Zkp2FfqgBCJMjAr9Tmh4q8nnUV7O6SfapETPWug6tquLXVrqMz3i5CnI
+EnrxXGGZDI0GxSsncJrTkoHoZks6/Ov44hAEArDfYj3B/mhyv6w67kqdQdS9wSve
+2kMYjfTLn0Om3R9Q49izT9kG67bdxfPbxwnlI6qvTszjsjU/iM8Cx+7Opyt0+Jf4
+pIql7kHGCgxMFWzOJKlmsznsreV3NLCBxDUlRuFOjsAxnP3IdM2Ea+L3NeHgEBW5
+gOJrGfR7xUyxTC/D9M93siw3xQFfdu6NBlWXpjSJ92krCWdkSmnEmpiJ4pBOoHc9
+ggst4uoPaN/vLFIxUXvekjJoNXsNxqAPMtPxnujgRqshXrdDlEL2kXzfGlypFyEv
+hmTVMj9R7SJCj9eNIitaz0v1IDGb5nvOV9FTV4s4ils11+rjEHpworc/viWqKe47
+RE4Qy+TJ5sFW0rr/2HFjmQoq+cPTf2rrBJRBtB6sSlpTOQ9NekCrqXHL3HKbz1Vx
+SYtwWte8SaaqbrpzHAg+adWxzUJFS6A4a5ErtRVOlqINOKZofUbKctWryx/vZEJY
+moyBgnjnY2lWWjz132l4ZEWn99A0jCkA8mibEbSsqzzlrH8UnFsaYnUN85y6e5g8
+SlX1g3gdW1n2NV9Flf6iHs4tQ7azBqGP6GpzIlEbyLC0QTcfAHk=
+=FapA
+-----END PGP SIGNATURE-----
--- a/spice.spec
+++ b/spice.spec
@ -0,0 +1,77 @@
+Name:           spice
+Version:        0.14.1
+Release:        1
+Summary:        Implements the SPICE protocol
+Group:          User Interface/Desktops
+License:        LGPLv2+
+URL:            https://www.spice-space.org/
+Source0:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
+Source1:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
+Source2:        cfergeau-29AC6C82.keyring
+
+Patch1:         0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+
+ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64
+
+BuildRequires:  gcc pkgconfig glib2-devel spice-protocol  opus-devel git-core gnupg2
+BuildRequires:  pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel
+BuildRequires:  lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel 
+
+%description
+The SPICE package provides the SPICE server library and client.
+These components are used to provide access to a remote machine's
+display and devices.
+
+%package        server
+Summary:        Implements the server side of the SPICE protocol
+Obsoletes:      spice-client < %{version}-%{release}
+
+%description    server
+This package contains the run-time libraries for any application that wishes
+to be a SPICE server and is used to expose a remote machine's display and devices.
+
+%package        server-devel
+Summary:        Header files and development files for %{name}-server
+Requires:       %{name}-server  pkgconfig
+  
+%description    server-devel
+The %{name}-server-devel package contains static libraries and header files for
+developing applications that use %{name}-server.
+
+%package_help
+
+%prep
+gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+%autosetup -n %{name}-%{version} -p1
+
+%build
+%define configure_client --disable-client
+%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0 --disable-celt051
+%make_build WARN_CFLAGS='' V=1
+
+%install
+make DESTDIR=%{buildroot} install
+%delete_la_and_a
+install -d  %{buildroot}%{_libexecdir}
+
+%ldconfig_scriptlets server
+
+%files server
+%defattr(-,root,root)
+%license COPYING
+%{_libdir}/libspice-server.so.*
+
+%files server-devel
+%defattr(-,root,root)
+%{_includedir}/spice-server/*.h
+%{_libdir}/pkgconfig/*.pc
+%{_libdir}/libspice-server.so
+
+%files help
+%defattr(-,root,root)
+%doc README NEWS
+
+%changelog
+* Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.14.0-6
+- Package init
+