From dedc591ecb776fcab13638811e98706b3f562329 Mon Sep 17 00:00:00 2001 From: Cole Robinson crobinso@redhat.com Date: Mon, 31 Aug 2015 19:43:11 -0400 Subject: CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz #1255899)

diff --git a/0101-vnc-fix-memory-corruption-CVE-2015-5225.patch b/0101-vnc-fix-memory-corruption-CVE-2015-5225.patch new file mode 100644 index 0000000..9755b43 --- /dev/null +++ b/0101-vnc-fix-memory-corruption-CVE-2015-5225.patch @@ -0,0 +1,79 @@ +From: Gerd Hoffmann kraxel@redhat.com +Date: Mon, 17 Aug 2015 19:56:53 +0200 +Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential +memory corruption issues" can become negative. Result is (possibly +exploitable) memory corruption. Reason for that is it uses the stride +instead of bytes per scanline to apply limits. + +For the server surface is is actually fine. vnc creates that itself, +there is never any padding and thus scanline length always equals stride. + +For the guest surface scanline length and stride are typically identical +too, but it doesn't has to be that way. So add and use a new variable +(guest_ll) for the guest scanline length. Also rename min_stride to +line_bytes to make more clear what it actually is. Finally sprinkle +in an assert() to make sure we never use a negative _cmp_bytes again. + +Reported-by: 范祚至(库特) zuozhi.fzz@alibaba-inc.com +Reviewed-by: P J P ppandit@redhat.com +Signed-off-by: Gerd Hoffmann kraxel@redhat.com +(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) +--- + ui/vnc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 87e34ae..dec86da 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2689,7 +2689,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + pixman_image_get_width(vd->server)); + int height = MIN(pixman_image_get_height(vd->guest.fb), + pixman_image_get_height(vd->server)); +- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; ++ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; + uint8_t *guest_row0 = NULL, *server_row0; + VncState *vs; + int has_dirty = 0; +@@ -2708,17 +2708,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Update server dirty map. + */ + server_row0 = (uint8_t *)pixman_image_get_data(vd->server); +- server_stride = guest_stride = pixman_image_get_stride(vd->server); ++ server_stride = guest_stride = guest_ll = ++ pixman_image_get_stride(vd->server); + cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, + server_stride); + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); + } else { ++ int guest_bpp = ++ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); + guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); + guest_stride = pixman_image_get_stride(vd->guest.fb); ++ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); + } +- min_stride = MIN(server_stride, guest_stride); ++ line_bytes = MIN(server_stride, guest_ll); + + for (;;) { + int x; +@@ -2749,9 +2753,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + if (!test_and_clear_bit(x, vd->guest.dirty[y])) { + continue; + } +- if ((x + 1) * cmp_bytes > min_stride) { +- _cmp_bytes = min_stride - x * cmp_bytes; ++ if ((x + 1) * cmp_bytes > line_bytes) { ++ _cmp_bytes = line_bytes - x * cmp_bytes; + } ++ assert(_cmp_bytes >= 0); + if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { + continue; + } diff --git a/qemu.spec b/qemu.spec index 5b8ab9c..2315373 100644 --- a/qemu.spec +++ b/qemu.spec @@ -152,7 +152,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.1.3 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -257,6 +257,10 @@ Patch0034: 0034-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch Patch0035: 0035-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch Patch0036: 0036-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch

+# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface +# (bz #1255899) +Patch0101: 0101-vnc-fix-memory-corruption-CVE-2015-5225.patch + BuildRequires: SDL2-devel BuildRequires: zlib-devel BuildRequires: which @@ -847,6 +851,10 @@ CAC emulation development files. %patch0035 -p1 %patch0036 -p1

+# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface +# (bz #1255899) +%patch0101 -p1 +

%build %if %{with kvmonly} @@ -1626,6 +1634,10 @@ getent passwd qemu >/dev/null || \ %endif

%changelog +* Mon Aug 31 2015 Cole Robinson crobinso@redhat.com - 2:2.1.3-10 +- CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface (bz + #1255899) + * Tue Aug 11 2015 Cole Robinson crobinso@redhat.com - 2:2.1.3-9 - Fix crash in qemu_spice_create_display (bz #1163047) - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536)