From 8211390ac8f983b7c89f54ddfcd018d972512765 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 01 2015 00:18:31 +0000 Subject: CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz #1255899) --- diff --git a/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch b/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch new file mode 100644 index 0000000..fbe778b --- /dev/null +++ b/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch @@ -0,0 +1,79 @@ +From: Gerd Hoffmann +Date: Mon, 17 Aug 2015 19:56:53 +0200 +Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential +memory corruption issues" can become negative. Result is (possibly +exploitable) memory corruption. Reason for that is it uses the stride +instead of bytes per scanline to apply limits. + +For the server surface is is actually fine. vnc creates that itself, +there is never any padding and thus scanline length always equals stride. + +For the guest surface scanline length and stride are typically identical +too, but it doesn't has to be that way. So add and use a new variable +(guest_ll) for the guest scanline length. Also rename min_stride to +line_bytes to make more clear what it actually is. Finally sprinkle +in an assert() to make sure we never use a negative _cmp_bytes again. + +Reported-by: 范祚至(库特) +Reviewed-by: P J P +Signed-off-by: Gerd Hoffmann +(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) +--- + ui/vnc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index e26973a..caf82f5 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + pixman_image_get_width(vd->server)); + int height = MIN(pixman_image_get_height(vd->guest.fb), + pixman_image_get_height(vd->server)); +- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; ++ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; + uint8_t *guest_row0 = NULL, *server_row0; + VncState *vs; + int has_dirty = 0; +@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Update server dirty map. + */ + server_row0 = (uint8_t *)pixman_image_get_data(vd->server); +- server_stride = guest_stride = pixman_image_get_stride(vd->server); ++ server_stride = guest_stride = guest_ll = ++ pixman_image_get_stride(vd->server); + cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, + server_stride); + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); + } else { ++ int guest_bpp = ++ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); + guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); + guest_stride = pixman_image_get_stride(vd->guest.fb); ++ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); + } +- min_stride = MIN(server_stride, guest_stride); ++ line_bytes = MIN(server_stride, guest_ll); + + for (;;) { + int x; +@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + if (!test_and_clear_bit(x, vd->guest.dirty[y])) { + continue; + } +- if ((x + 1) * cmp_bytes > min_stride) { +- _cmp_bytes = min_stride - x * cmp_bytes; ++ if ((x + 1) * cmp_bytes > line_bytes) { ++ _cmp_bytes = line_bytes - x * cmp_bytes; + } ++ assert(_cmp_bytes >= 0); + if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { + continue; + } diff --git a/qemu.spec b/qemu.spec index 140a280..0bc40bc 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,7 +40,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.4.0 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -68,6 +68,10 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh +# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface +# (bz #1255899) +Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch + BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1200,6 +1204,10 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Aug 31 2015 Cole Robinson - 2:2.4.0-2 +- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz + #1255899) + * Tue Aug 11 2015 Cole Robinson - 2:2.4.0-1 - Rebased to version 2.4.0 - Support for virtio-gpu, 2D only