CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz #1255899)

This commit is contained in:
Cole Robinson 2015-08-31 19:59:32 -04:00
parent 7fbffc1697
commit ab42d9f7d6
2 changed files with 87 additions and 1 deletions

View File

@ -0,0 +1,79 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 17 Aug 2015 19:56:53 +0200
Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative. Result is (possibly
exploitable) memory corruption. Reason for that is it uses the stride
instead of bytes per scanline to apply limits.
For the server surface is is actually fine. vnc creates that itself,
there is never any padding and thus scanline length always equals stride.
For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way. So add and use a new variable
(guest_ll) for the guest scanline length. Also rename min_stride to
line_bytes to make more clear what it actually is. Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.
Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
Reviewed-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
---
ui/vnc.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index f989dfb..472c30e 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2863,7 +2863,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
pixman_image_get_width(vd->server));
int height = MIN(pixman_image_get_height(vd->guest.fb),
pixman_image_get_height(vd->server));
- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
uint8_t *guest_row0 = NULL, *server_row0;
VncState *vs;
int has_dirty = 0;
@@ -2882,17 +2882,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
* Update server dirty map.
*/
server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
- server_stride = guest_stride = pixman_image_get_stride(vd->server);
+ server_stride = guest_stride = guest_ll =
+ pixman_image_get_stride(vd->server);
cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
server_stride);
if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
int width = pixman_image_get_width(vd->server);
tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
} else {
+ int guest_bpp =
+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
guest_stride = pixman_image_get_stride(vd->guest.fb);
+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
}
- min_stride = MIN(server_stride, guest_stride);
+ line_bytes = MIN(server_stride, guest_ll);
for (;;) {
int x;
@@ -2923,9 +2927,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
continue;
}
- if ((x + 1) * cmp_bytes > min_stride) {
- _cmp_bytes = min_stride - x * cmp_bytes;
+ if ((x + 1) * cmp_bytes > line_bytes) {
+ _cmp_bytes = line_bytes - x * cmp_bytes;
}
+ assert(_cmp_bytes >= 0);
if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
continue;
}

View File

@ -43,7 +43,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.3.1
Release: 1%{?dist}
Release: 2%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -84,6 +84,9 @@ Patch0003: 0003-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
Patch0004: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
# CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch
# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
# (bz #1255899)
Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@ -1186,6 +1189,10 @@ getent passwd qemu >/dev/null || \
%changelog
* Mon Aug 31 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-2
- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz
#1255899)
* Tue Aug 11 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-1
- Rebased to version 2.3.1