|
 |
9bac43 |
From c3a99fb2c831c2f3da069359a9a8a0c734923669 Mon Sep 17 00:00:00 2001
|
|
|
9bac43 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
9bac43 |
Date: Wed, 20 Dec 2017 17:56:54 +0100
|
|
|
9bac43 |
Subject: [PATCH 14/42] io: monitor encoutput buffer size from websocket
|
|
|
9bac43 |
GSource
|
|
|
9bac43 |
|
|
|
9bac43 |
RH-Author: Daniel P. Berrange <berrange@redhat.com>
|
|
|
9bac43 |
Message-id: <20171220175702.29663-13-berrange@redhat.com>
|
|
|
9bac43 |
Patchwork-id: 78466
|
|
|
9bac43 |
O-Subject: [RHV-7.5 qemu-kvm-rhev PATCH v2 12/20] io: monitor encoutput buffer size from websocket GSource
|
|
|
9bac43 |
Bugzilla: 1518650
|
|
|
9bac43 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
The websocket GSource is monitoring the size of the rawoutput
|
|
|
9bac43 |
buffer to determine if the channel can accepts more writes.
|
|
|
9bac43 |
The rawoutput buffer, however, is merely a temporary staging
|
|
|
9bac43 |
buffer before data is copied into the encoutput buffer. Thus
|
|
|
9bac43 |
its size will always be zero when the GSource runs.
|
|
|
9bac43 |
|
|
|
9bac43 |
This flaw causes the encoutput buffer to grow without bound
|
|
|
9bac43 |
if the other end of the underlying data channel doesn't
|
|
|
9bac43 |
read data being sent. This can be seen with VNC if a client
|
|
|
9bac43 |
is on a slow WAN link and the guest OS is sending many screen
|
|
|
9bac43 |
updates. A malicious VNC client can act like it is on a slow
|
|
|
9bac43 |
link by playing a video in the guest and then reading data
|
|
|
9bac43 |
very slowly, causing QEMU host memory to expand arbitrarily.
|
|
|
9bac43 |
|
|
|
9bac43 |
This issue is assigned CVE-2017-15268, publically reported in
|
|
|
9bac43 |
|
|
|
9bac43 |
https://bugs.launchpad.net/qemu/+bug/1718964
|
|
|
9bac43 |
|
|
|
9bac43 |
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
|
9bac43 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
9bac43 |
(cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493)
|
|
|
9bac43 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
---
|
|
|
9bac43 |
io/channel-websock.c | 4 ++--
|
|
|
9bac43 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
9bac43 |
|
|
|
9bac43 |
diff --git a/io/channel-websock.c b/io/channel-websock.c
|
|
|
9bac43 |
index d1d471f..04bcc05 100644
|
|
|
9bac43 |
--- a/io/channel-websock.c
|
|
|
9bac43 |
+++ b/io/channel-websock.c
|
|
|
9bac43 |
@@ -28,7 +28,7 @@
|
|
|
9bac43 |
#include <time.h>
|
|
|
9bac43 |
|
|
|
9bac43 |
|
|
|
9bac43 |
-/* Max amount to allow in rawinput/rawoutput buffers */
|
|
|
9bac43 |
+/* Max amount to allow in rawinput/encoutput buffers */
|
|
|
9bac43 |
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
|
|
|
9bac43 |
|
|
|
9bac43 |
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
|
|
|
9bac43 |
@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source)
|
|
|
9bac43 |
if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) {
|
|
|
9bac43 |
cond |= G_IO_IN;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
|
|
9bac43 |
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
|
|
|
9bac43 |
cond |= G_IO_OUT;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
|
|
|
9bac43 |
--
|
|
|
9bac43 |
1.8.3.1
|
|
|
9bac43 |
|