From patchwork Fri Jul 14 14:02:03 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 788530
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3x8DsC6CKnz9s65
	for <incoming@patchwork.ozlabs.org>;
	Sat, 15 Jul 2017 00:02:23 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="kWV1k3uD"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id E529130B01;
	Fri, 14 Jul 2017 14:02:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id z2roLViA9QOJ; Fri, 14 Jul 2017 14:02:16 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 9E1B02F52E;
	Fri, 14 Jul 2017 14:02:16 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id E34D01C40B0
	for <buildroot@lists.busybox.net>;
	Fri, 14 Jul 2017 14:02:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id DD5BB890E5
	for <buildroot@lists.busybox.net>;
	Fri, 14 Jul 2017 14:02:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ESNXyr76mGNv for <buildroot@lists.busybox.net>;
	Fri, 14 Jul 2017 14:02:14 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f194.google.com (mail-wr0-f194.google.com
	[209.85.128.194])
	by whitealder.osuosl.org (Postfix) with ESMTPS id DADD8890DD
	for <buildroot@buildroot.org>; Fri, 14 Jul 2017 14:02:13 +0000 (UTC)
Received: by mail-wr0-f194.google.com with SMTP id v60so265154wrc.2
	for <buildroot@buildroot.org>; Fri, 14 Jul 2017 07:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=b53TELMaJEzhX+bB/PERizKqM5ueH9Aq2FzbDjVN1dw=;
	b=kWV1k3uD8H5IzNCnpoWVlqLK7BVH3UZz9uvlreilX8SKPfe0Yvln27cZNcY2UzclZt
	kHhvgYIgbRXrPO+NQHej8wydzP4ClRxjVO2HaQ4FTdlcBDIem7gUqvnDiQ/bp6nuMmpN
	7voqSUsNjC8s8F0S1IE1zOTDmEfXHD0f/sqlG53Z7C/+7T0m3oMWhtiaiaeVQGwTymLI
	DH+OWzeXKyWL6XBJ7CFgzLtou0VWi4PrCP1OpfvMV9kPYnFJX6mq8U0/6s76DascULYW
	A86R7XiKMuKhYFdMi2oE1a1BiU905RFs6s5O4XUh14YK1o132AKP8tKhvAkoBO/ouw/+
	vxoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=b53TELMaJEzhX+bB/PERizKqM5ueH9Aq2FzbDjVN1dw=;
	b=K7oJrAtnQoFSKtHhqZaedTex9wcJKEcjtzRxCGf/mTV63ssHwhXvWaUrRSJQ96ep1i
	XxAQCRhDZt11PcOwqF3YrvCmwUPzZORGJMUrfdH25f7hZ5LZJ6QbR1lWcX1DAn6ior3E
	MSpmiooiiYiXqHQeZJ4w5m4udsOsYojcnDF9BTXxcXHyWm/BiWev7o9E15A4hWQJYXpr
	g8wCjXO6BvyNyuV3ywXu1r6jHbJ5zvm5intlilV/qiUpDF5jz/nR1RqB7TkA2dD+eRIY
	TuLqnux0KzzwRqypiMaDbN16AlsUAMWIMcMFGDR2s+T0nWNuRf2pQiOOimqYyKQgT+zG
	MwiQ==
X-Gm-Message-State: AIVw113mNAkycKKZ7MJD9jMetTfkyXhjOLutAhvSr0JsFatwffydzBg1
	cmPO9emlvmNKQ+I8TbQ=
X-Received: by 10.223.160.111 with SMTP id l44mr5381399wrl.31.1500040931642;
	Fri, 14 Jul 2017 07:02:11 -0700 (PDT)
Received: from dell.be.48ers.dk ([91.183.172.93])
	by smtp.gmail.com with ESMTPSA id
	p27sm2879641wmf.23.2017.07.14.07.02.10
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 14 Jul 2017 07:02:10 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1dW1AX-00051b-Vx; Fri, 14 Jul 2017 16:02:10 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org,
	yann.morin.1998@free.fr
Date: Fri, 14 Jul 2017 16:02:03 +0200
Message-Id: <20170714140203.19234-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] spice: add upstream security fixes for
	CVE-2017-7506
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes CVE-2017-7506 - Possible buffer overflow via invalid monitor
configurations.

For more details, see:
https://marc.info/?l=oss-security&m=150001782924095

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...nect-when-receiving-overly-big-ClientMoni.patch | 75 ++++++++++++++++++++++
 ...integer-overflows-handling-monitor-config.patch | 31 +++++++++
 ...buffer-overflows-handling-monitor-configu.patch | 48 ++++++++++++++
 3 files changed, 154 insertions(+)
 create mode 100644 package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch
 create mode 100644 package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch
 create mode 100644 package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch

diff --git a/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch
new file mode 100644
index 0000000000..e454a30100
--- /dev/null
+++ b/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch
@@ -0,0 +1,75 @@
+From f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 4/6] reds: Disconnect when receiving overly big
+ ClientMonitorsConfig
+
+Total message size received from the client was unlimited. There is
+a 2kiB size check on individual agent messages, but the MonitorsConfig
+message can be split in multiple chunks, and the size of the
+non-chunked MonitorsConfig message was never checked. This could easily
+lead to memory exhaustion on the host.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/server/reds.c b/server/reds.c
+index f439a366..7be85fdf 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void)
+ static void reds_on_main_agent_monitors_config(
+         MainChannelClient *mcc, void *message, size_t size)
+ {
++    const unsigned int MAX_MONITORS = 256;
++    const unsigned int MAX_MONITOR_CONFIG_SIZE =
++       sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
++
+     VDAgentMessage *msg_header;
+     VDAgentMonitorsConfig *monitors_config;
+     RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+ 
++    // limit size of message sent by the client as this can cause a DoS through
++    // memory exhaustion, or potentially some integer overflows
++    if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) {
++        goto overflow;
++    }
+     cmc->buffer_size += size;
+     cmc->buffer = realloc(cmc->buffer, cmc->buffer_size);
+     spice_assert(cmc->buffer);
+     cmc->mcc = mcc;
+     memcpy(cmc->buffer + cmc->buffer_pos, message, size);
+     cmc->buffer_pos += size;
++    if (sizeof(VDAgentMessage) > cmc->buffer_size) {
++        spice_debug("not enough data yet. %d", cmc->buffer_size);
++        return;
++    }
+     msg_header = (VDAgentMessage *)cmc->buffer;
+-    if (sizeof(VDAgentMessage) > cmc->buffer_size ||
+-            msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
++    if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
++        goto overflow;
++    }
++    if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
+         spice_debug("not enough data yet. %d", cmc->buffer_size);
+         return;
+     }
+@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config(
+     spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+     reds_client_monitors_config_cleanup();
++    return;
++
++overflow:
++    spice_warning("received invalid MonitorsConfig request from client, disconnecting");
++    red_channel_client_disconnect(main_channel_client_get_base(mcc));
++    reds_client_monitors_config_cleanup();
+ }
+ 
+ void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size)
+-- 
+2.11.0
+
diff --git a/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch b/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch
new file mode 100644
index 0000000000..a4e5a3fa6d
--- /dev/null
+++ b/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch
@@ -0,0 +1,31 @@
+From ec6229c79abe05d731953df5f7e9a05ec9f6df79 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 5/6] reds: Avoid integer overflows handling monitor
+ configuration
+
+Avoid VDAgentMessage::size integer overflows.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index 7be85fdf..e1c8c108 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config(
+         spice_debug("not enough data yet. %d", cmc->buffer_size);
+         return;
+     }
++    if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
++        goto overflow;
++    }
+     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+     spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+-- 
+2.11.0
+
diff --git a/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
new file mode 100644
index 0000000000..0789fdfb08
--- /dev/null
+++ b/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
@@ -0,0 +1,48 @@
+From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 15 May 2017 15:57:28 +0100
+Subject: [PATCH 6/6] reds: Avoid buffer overflows handling monitor
+ configuration
+
+It was also possible for a malicious client to set
+VDAgentMonitorsConfig::num_of_monitors to a number larger
+than the actual size of VDAgentMOnitorsConfig::monitors.
+This would lead to buffer overflows, which could allow the guest to
+read part of the host memory. This might cause write overflows in the
+host as well, but controlling the content of such buffers seems
+complicated.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index e1c8c108..3a42c375 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config(
+     VDAgentMessage *msg_header;
+     VDAgentMonitorsConfig *monitors_config;
+     RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
++    uint32_t max_monitors;
+ 
+     // limit size of message sent by the client as this can cause a DoS through
+     // memory exhaustion, or potentially some integer overflows
+@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config(
+         goto overflow;
+     }
+     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
++    // limit the monitor number to avoid buffer overflows
++    max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
++                   sizeof(VDAgentMonConfig);
++    if (monitors_config->num_of_monitors > max_monitors) {
++        goto overflow;
++    }
+     spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
+     red_dispatcher_client_monitors_config(monitors_config);
+     reds_client_monitors_config_cleanup();
+-- 
+2.11.0
+