update to 0.14.3
This commit is contained in:
jinzhimin369
parent
be8c91b10d
commit
a1ddd0d433
@ -1,98 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Date: Thu, 29 Nov 2018 14:18:39 +0100
|
||||
Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
|
||||
|
||||
RedMemSlotInfo keeps an array of groups, and each group contains an
|
||||
array of slots. Unfortunately, these checks are off by 1, they check
|
||||
that the index is greater or equal to the number of elements in the
|
||||
array, while these arrays are 0 based. The check should only check for
|
||||
strictly greater than the number of elements.
|
||||
|
||||
For the group array, this is not a big issue, as these memslot groups
|
||||
are created by spice-server users (eg QEMU), and the group ids used to
|
||||
index that array are also generated by the spice-server user, so it
|
||||
should not be possible for the guest to set them to arbitrary values.
|
||||
|
||||
The slot id is more problematic, as it's calculated from a QXLPHYSICAL
|
||||
address, and such addresses are usually set by the guest QXL driver, so
|
||||
the guest can set these to arbitrary values, including malicious values,
|
||||
which are probably easy to build from the guest PCI configuration.
|
||||
|
||||
This patch fixes the arrays bound check, and adds a test case for this.
|
||||
This fixes CVE-2019-3813.
|
||||
|
||||
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
---
|
||||
server/memslot.c | 4 ++--
|
||||
server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 32 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/server/memslot.c b/server/memslot.c
|
||||
index ede77e7..ea6f981 100644
|
||||
--- a/server/memslot.c
|
||||
+++ b/server/memslot.c
|
||||
@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
|
||||
|
||||
MemSlot *slot;
|
||||
|
||||
- if (group_id > info->num_memslots_groups) {
|
||||
+ if (group_id >= info->num_memslots_groups) {
|
||||
spice_critical("group_id too big");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
slot_id = memslot_get_id(info, addr);
|
||||
- if (slot_id > info->num_memslots) {
|
||||
+ if (slot_id >= info->num_memslots) {
|
||||
print_memslots(info);
|
||||
spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
|
||||
return NULL;
|
||||
diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
|
||||
index 47139a4..5b8d0f2 100644
|
||||
--- a/server/tests/test-qxl-parsing.c
|
||||
+++ b/server/tests/test-qxl-parsing.c
|
||||
@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
|
||||
g_free(from_physical(qxl->u.surface_create.data));
|
||||
}
|
||||
|
||||
+static void test_memslot_invalid_group_id(void)
|
||||
+{
|
||||
+ RedMemSlotInfo mem_info;
|
||||
+ init_meminfo(&mem_info);
|
||||
+
|
||||
+ memslot_get_virt(&mem_info, 0, 16, 1);
|
||||
+}
|
||||
+
|
||||
+static void test_memslot_invalid_slot_id(void)
|
||||
+{
|
||||
+ RedMemSlotInfo mem_info;
|
||||
+ init_meminfo(&mem_info);
|
||||
+
|
||||
+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
|
||||
+}
|
||||
+
|
||||
+static void test_memslot_invalid_addresses(void)
|
||||
+{
|
||||
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
|
||||
+ g_test_trap_assert_stderr("*group_id too big*");
|
||||
+
|
||||
+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
|
||||
+ g_test_trap_assert_stderr("*slot_id 1 too big*");
|
||||
+}
|
||||
+
|
||||
static void test_no_issues(void)
|
||||
{
|
||||
RedMemSlotInfo mem_info;
|
||||
@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
g_test_init(&argc, &argv, NULL);
|
||||
|
||||
+ /* try to use invalid memslot group/slot */
|
||||
+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
|
||||
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
|
||||
+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
|
||||
+
|
||||
/* try to create a surface with no issues, should succeed */
|
||||
g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlt9eDYACgkQqdjCFCms
|
||||
bIL79A//Zkp2FfqgBCJMjAr9Tmh4q8nnUV7O6SfapETPWug6tquLXVrqMz3i5CnI
|
||||
EnrxXGGZDI0GxSsncJrTkoHoZks6/Ov44hAEArDfYj3B/mhyv6w67kqdQdS9wSve
|
||||
2kMYjfTLn0Om3R9Q49izT9kG67bdxfPbxwnlI6qvTszjsjU/iM8Cx+7Opyt0+Jf4
|
||||
pIql7kHGCgxMFWzOJKlmsznsreV3NLCBxDUlRuFOjsAxnP3IdM2Ea+L3NeHgEBW5
|
||||
gOJrGfR7xUyxTC/D9M93siw3xQFfdu6NBlWXpjSJ92krCWdkSmnEmpiJ4pBOoHc9
|
||||
ggst4uoPaN/vLFIxUXvekjJoNXsNxqAPMtPxnujgRqshXrdDlEL2kXzfGlypFyEv
|
||||
hmTVMj9R7SJCj9eNIitaz0v1IDGb5nvOV9FTV4s4ils11+rjEHpworc/viWqKe47
|
||||
RE4Qy+TJ5sFW0rr/2HFjmQoq+cPTf2rrBJRBtB6sSlpTOQ9NekCrqXHL3HKbz1Vx
|
||||
SYtwWte8SaaqbrpzHAg+adWxzUJFS6A4a5ErtRVOlqINOKZofUbKctWryx/vZEJY
|
||||
moyBgnjnY2lWWjz132l4ZEWn99A0jCkA8mibEbSsqzzlrH8UnFsaYnUN85y6e5g8
|
||||
SlX1g3gdW1n2NV9Flf6iHs4tQ7azBqGP6GpzIlEbyLC0QTcfAHk=
|
||||
=FapA
|
||||
-----END PGP SIGNATURE-----
|
||||
BIN
spice-0.14.3.tar.bz2
Normal file
BIN
spice-0.14.3.tar.bz2
Normal file
Binary file not shown.
BIN
spice-0.14.3.tar.bz2.sign
Normal file
BIN
spice-0.14.3.tar.bz2.sign
Normal file
Binary file not shown.
13
spice.spec
13
spice.spec
@ -1,5 +1,5 @@
|
||||
Name: spice
|
||||
Version: 0.14.1
|
||||
Version: 0.14.3
|
||||
Release: 1
|
||||
Summary: Implements the SPICE protocol
|
||||
Group: User Interface/Desktops
|
||||
@ -7,13 +7,11 @@ License: LGPLv2+
|
||||
URL: https://www.spice-space.org/
|
||||
Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
|
||||
Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
|
||||
Source2: cfergeau-29AC6C82.keyring
|
||||
|
||||
Patch1: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
|
||||
Source2: victortoso-E37A484F.keyring
|
||||
|
||||
ExclusiveArch: %{ix86} x86_64 %{arm} aarch64
|
||||
|
||||
BuildRequires: gcc pkgconfig glib2-devel spice-protocol opus-devel git-core gnupg2
|
||||
BuildRequires: gcc pkgconfig glib2-devel spice-protocol >= 0.14.0 opus-devel git-core gnupg2
|
||||
BuildRequires: pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel
|
||||
BuildRequires: lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel
|
||||
|
||||
@ -69,9 +67,12 @@ install -d %{buildroot}%{_libexecdir}
|
||||
|
||||
%files help
|
||||
%defattr(-,root,root)
|
||||
%doc README NEWS
|
||||
%doc README
|
||||
|
||||
%changelog
|
||||
* Tues Oct 4 2020 jinzhimin<jinzhimin2@huawei.com> - 0.14.3-1
|
||||
- update to 0.14.3
|
||||
|
||||
* Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.14.0-6
|
||||
- Package init
|
||||
|
||||
|
||||
BIN
victortoso-E37A484F.keyring
Normal file
BIN
victortoso-E37A484F.keyring
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user