From 95257e71288857c2094c5d426d022d386f7dc9f7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 31 2019 17:04:58 +0000
Subject: import spice-0.14.0-6.el7_6.1


---

diff --git a/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
new file mode 100644
index 0000000..ad8a9aa
--- /dev/null
+++ b/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
@@ -0,0 +1,100 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Thu, 29 Nov 2018 14:18:39 +0100
+Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
+
+RedMemSlotInfo keeps an array of groups, and each group contains an
+array of slots. Unfortunately, these checks are off by 1, they check
+that the index is greater or equal to the number of elements in the
+array, while these arrays are 0 based. The check should only check for
+strictly greater than the number of elements.
+
+For the group array, this is not a big issue, as these memslot groups
+are created by spice-server users (eg QEMU), and the group ids used to
+index that array are also generated by the spice-server user, so it
+should not be possible for the guest to set them to arbitrary values.
+
+The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+address, and such addresses are usually set by the guest QXL driver, so
+the guest can set these to arbitrary values, including malicious values,
+which are probably easy to build from the guest PCI configuration.
+
+This patch fixes the arrays bound check, and adds a test case for this.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+---
+ server/memslot.c                |  4 ++--
+ server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/server/memslot.c b/server/memslot.c
+index 7074b43..8c59c38 100644
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
+     MemSlot *slot;
+ 
+     *error = 0;
+-    if (group_id > info->num_memslots_groups) {
++    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         *error = 1;
+         return 0;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
++    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         *error = 1;
+diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
+index 9c0c3b1..83f2083 100644
+--- a/server/tests/test-qxl-parsing.c
++++ b/server/tests/test-qxl-parsing.c
+@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
+     free(from_physical(qxl->u.surface_create.data));
+ }
+ 
++static void test_memslot_invalid_group_id(void)
++{
++    RedMemSlotInfo mem_info;
++    int error;
++    init_meminfo(&mem_info);
++
++    memslot_get_virt(&mem_info, 0, 16, 1, &error);
++}
++
++static void test_memslot_invalid_slot_id(void)
++{
++    RedMemSlotInfo mem_info;
++    int error;
++    init_meminfo(&mem_info);
++
++    memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error);
++}
++
++static void test_memslot_invalid_addresses(void)
++{
++    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
++    g_test_trap_assert_stderr("*group_id too big*");
++
++    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
++    g_test_trap_assert_stderr("*slot_id 1 too big*");
++}
++
+ static void test_no_issues(void)
+ {
+     RedMemSlotInfo mem_info;
+@@ -262,6 +289,11 @@ int main(int argc, char *argv[])
+ {
+     g_test_init(&argc, &argv, NULL);
+ 
++    /* try to use invalid memslot group/slot */
++    g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
++    g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
++    g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
++
+     /* try to create a surface with no issues, should succeed */
+     g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
+ 
diff --git a/SPECS/spice.spec b/SPECS/spice.spec
index b8ae490..a76b70c 100644
--- a/SPECS/spice.spec
+++ b/SPECS/spice.spec
@@ -1,6 +1,6 @@
 Name:           spice
 Version:        0.14.0
-Release:        6%{?dist}
+Release:        6%{?dist}.1
 Summary:        Implements the SPICE protocol
 Group:          User Interface/Desktops
 License:        LGPLv2+
@@ -32,6 +32,7 @@ Patch23:        0023-sound-Don-t-mute-recording-when-client-reconnects.patch
 Patch24:        0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch
 Patch25:        0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch
 Patch26:        0026-Fix-flexible-array-buffer-overflow.patch
+Patch27:        0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=613529
 %if 0%{?rhel}
@@ -121,6 +122,10 @@ mkdir -p %{buildroot}%{_libexecdir}
 
 
 %changelog
+* Thu Jan 24 2019 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-6.1
+- Fix off-by-one error during guest-to-host memory address conversion
+  Resolves: CVE-2019-3813
+
 * Thu Aug 09 2018 Frediano Ziglio <fziglio@redhat.com> - 0.14.0-6
 - Fix flexible array buffer overflow
   Resolves: rhbz#1596008