From 5e5d757a039a60cba5ac89fe1998673c49a2d0b6 Mon Sep 17 00:00:00 2001 Message-Id: <5e5d757a039a60cba5ac89fe1998673c49a2d0b6@dist-git> From: "Daniel P. Berrange" Date: Tue, 16 Jan 2018 17:00:11 +0000 Subject: [PATCH] qemu: avoid denial of service reading from QEMU monitor (CVE-2018-5748) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We read from QEMU until seeing a \r\n pair to indicate a completed reply or event. To avoid memory denial-of-service though, we must have a size limit on amount of data we buffer. 10 MB is large enough that it ought to cope with normal QEMU replies, and small enough that we're not consuming unreasonable mem. Signed-off-by: Daniel P. Berrange (cherry picked from commit bc251ea91bcfddd2622fce6bce701a438b2e7276) Signed-off-by: Jiri Denemark Reviewed-by: Ján Tomko --- src/qemu/qemu_monitor.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index b6af209a83..d999f2d10c 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor"); #define DEBUG_IO 0 #define DEBUG_RAW_IO 0 +/* We read from QEMU until seeing a \r\n pair to indicate a + * completed reply or event. To avoid memory denial-of-service + * though, we must have a size limit on amount of data we + * buffer. 10 MB is large enough that it ought to cope with + * normal QEMU replies, and small enough that we're not + * consuming unreasonable mem. + */ +#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024) + struct _qemuMonitor { virObjectLockable parent; @@ -574,6 +583,12 @@ qemuMonitorIORead(qemuMonitorPtr mon) int ret = 0; if (avail < 1024) { + if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) { + virReportSystemError(ERANGE, + _("No complete monitor response found in %d bytes"), + QEMU_MONITOR_MAX_RESPONSE); + return -1; + } if (VIR_REALLOC_N(mon->buffer, mon->bufferLength + 1024) < 0) return -1; -- 2.17.0