From 27d5bab00da6a59c9eae2e5f66dc985f1a0b95ac Mon Sep 17 00:00:00 2001

From: Gerd Hoffmann <kraxel@redhat.com>

Date: Mon, 15 Sep 2014 13:08:23 +0200

Subject: [PATCH 4/4] spice: make sure we don't overflow ssd->buf

Message-id: <1410786503-19794-5-git-send-email-kraxel@redhat.com>

Patchwork-id: 61136

O-Subject: [RHEL-7.1 qemu-kvm PATCH 4/4] spice: make sure we don't overflow ssd->buf

Bugzilla: 1139118

RH-Acked-by: Markus Armbruster <armbru@redhat.com>

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Related spice-only bug.  We have a fixed 16 MB buffer here, being

presented to the spice-server as qxl video memory in case spice is

used with a non-qxl card.  It's also used with qxl in vga mode.

When using display resolutions requiring more than 16 MB of memory we

are going to overflow that buffer.  In theory the guest can write,

indirectly via spice-server.  The spice-server clears the memory after

setting a new video mode though, triggering a segfault in the overflow

case, so qemu crashes before the guest has a chance to do something

evil.

Fix that by switching to dynamic allocation for the buffer.

CVE-2014-3615

Cc: qemu-stable@nongnu.org

Cc: secalert@redhat.com

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

(cherry picked from commit ab9509cceabef28071e41bdfa073083859c949a7)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 ui/spice-display.c |   20 +++++++++++++++-----

 1 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c

index 5d0a21e..dc8be8a 100644

--- a/ui/spice-display.c

+++ b/ui/spice-display.c

@@ -291,11 +291,23 @@ void qemu_spice_create_host_memslot(SimpleSpiceDisplay *ssd)

 void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)

 {

     QXLDevSurfaceCreate surface;

+    uint64_t surface_size;

     memset(&surface, 0, sizeof(surface));

-    dprint(1, "%s/%d: %dx%d\n", __func__, ssd->qxl.id,

-           surface_width(ssd->ds), surface_height(ssd->ds));

+    surface_size = (uint64_t) surface_width(ssd->ds) *

+        surface_height(ssd->ds) * 4;

+    assert(surface_size > 0);

+    assert(surface_size < INT_MAX);

+    if (ssd->bufsize < surface_size) {

+        ssd->bufsize = surface_size;

+        g_free(ssd->buf);

+        ssd->buf = g_malloc(ssd->bufsize);

+    }

+

+    dprint(1, "%s/%d: %ux%u (size %" PRIu64 "/%d)\n", __func__, ssd->qxl.id,

+           surface_width(ssd->ds), surface_height(ssd->ds),

+           surface_size, ssd->bufsize);

     surface.format     = SPICE_SURFACE_FMT_32_xRGB;

     surface.width      = surface_width(ssd->ds);

@@ -326,8 +338,6 @@ void qemu_spice_display_init_common(SimpleSpiceDisplay *ssd)

     if (ssd->num_surfaces == 0) {

         ssd->num_surfaces = 1024;

     }

-    ssd->bufsize = (16 * 1024 * 1024);

-    ssd->buf = g_malloc(ssd->bufsize);

 }

 /* display listener callbacks */

@@ -446,7 +456,7 @@ static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)

     info->num_memslots = NUM_MEMSLOTS;

     info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;

     info->internal_groupslot_id = 0;

-    info->qxl_ram_size = ssd->bufsize;

+    info->qxl_ram_size = 16 * 1024 * 1024;

     info->n_surfaces = ssd->num_surfaces;

 }

-- 

1.7.1