CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz #1255899)
This commit is contained in:
Cole Robinson
parent
7fbffc1697
commit
ab42d9f7d6
79
0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
Normal file
79
0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 17 Aug 2015 19:56:53 +0200
|
||||
Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
|
||||
memory corruption issues" can become negative. Result is (possibly
|
||||
exploitable) memory corruption. Reason for that is it uses the stride
|
||||
instead of bytes per scanline to apply limits.
|
||||
|
||||
For the server surface is is actually fine. vnc creates that itself,
|
||||
there is never any padding and thus scanline length always equals stride.
|
||||
|
||||
For the guest surface scanline length and stride are typically identical
|
||||
too, but it doesn't has to be that way. So add and use a new variable
|
||||
(guest_ll) for the guest scanline length. Also rename min_stride to
|
||||
line_bytes to make more clear what it actually is. Finally sprinkle
|
||||
in an assert() to make sure we never use a negative _cmp_bytes again.
|
||||
|
||||
Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
|
||||
Reviewed-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
|
||||
---
|
||||
ui/vnc.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ui/vnc.c b/ui/vnc.c
|
||||
index f989dfb..472c30e 100644
|
||||
--- a/ui/vnc.c
|
||||
+++ b/ui/vnc.c
|
||||
@@ -2863,7 +2863,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
|
||||
pixman_image_get_width(vd->server));
|
||||
int height = MIN(pixman_image_get_height(vd->guest.fb),
|
||||
pixman_image_get_height(vd->server));
|
||||
- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
|
||||
+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
|
||||
uint8_t *guest_row0 = NULL, *server_row0;
|
||||
VncState *vs;
|
||||
int has_dirty = 0;
|
||||
@@ -2882,17 +2882,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
|
||||
* Update server dirty map.
|
||||
*/
|
||||
server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
|
||||
- server_stride = guest_stride = pixman_image_get_stride(vd->server);
|
||||
+ server_stride = guest_stride = guest_ll =
|
||||
+ pixman_image_get_stride(vd->server);
|
||||
cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
|
||||
server_stride);
|
||||
if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
|
||||
int width = pixman_image_get_width(vd->server);
|
||||
tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
|
||||
} else {
|
||||
+ int guest_bpp =
|
||||
+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
|
||||
guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
|
||||
guest_stride = pixman_image_get_stride(vd->guest.fb);
|
||||
+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
|
||||
}
|
||||
- min_stride = MIN(server_stride, guest_stride);
|
||||
+ line_bytes = MIN(server_stride, guest_ll);
|
||||
|
||||
for (;;) {
|
||||
int x;
|
||||
@@ -2923,9 +2927,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
|
||||
if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
|
||||
continue;
|
||||
}
|
||||
- if ((x + 1) * cmp_bytes > min_stride) {
|
||||
- _cmp_bytes = min_stride - x * cmp_bytes;
|
||||
+ if ((x + 1) * cmp_bytes > line_bytes) {
|
||||
+ _cmp_bytes = line_bytes - x * cmp_bytes;
|
||||
}
|
||||
+ assert(_cmp_bytes >= 0);
|
||||
if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
|
||||
continue;
|
||||
}
|
||||
@ -43,7 +43,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.3.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -84,6 +84,9 @@ Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
|
||||
Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
|
||||
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
|
||||
Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
|
||||
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
|
||||
# (bz #1255899)
|
||||
Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -1186,6 +1189,10 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 31 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-2
|
||||
- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz
|
||||
#1255899)
|
||||
|
||||
* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-1
|
||||
- Rebased to version 2.3.1
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user