[Spice-commits] server/inputs-channel.c

Frediano Ziglio fziglio at kemper.freedesktop.org
Mon Aug 1 11:57:33 UTC 2016

 server/inputs-channel.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit e189f7cab83b65c0f240313d8317b5c82a64c91d
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Mon Aug 1 12:00:42 2016 +0100

    Prevent possible buffer overflow in SpiceKbdState
    key and key_ext in SpiceKbdState are indexed using
       state[scan & 0x7f]
    where scan is a 8 bit value got from client. In theory client can send
    any value causing scan & 0x7f to be 0x7f. However these arrays contains
    only 0x7f values so 0x7f cause a off one overflow.
    This potentially cause key_ext to overflow in reds pointer following.
    Happily this is not exploitable in either 32 or 64 bit environment.
    On 64 bit key_ext is followed by a 4 byte (sizeof(bool) == 4) padding
    which is written by the possible overflow.
    On 32 bit reds will be overwritten with either 0 or 1 which will cause
    a SIGSEGV leading to a DoS. Considering that you have to have access
    to the machine with a client you are just shutting down only guests you
    can access to.
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Uri Lublin <uril at redhat.com>

diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index e91f7e1..8f0a206 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -60,8 +60,8 @@ struct SpiceKbdState {
     bool push_ext;
     /* track key press state */
-    bool key[0x7f];
-    bool key_ext[0x7f];
+    bool key[0x80];
+    bool key_ext[0x80];
     RedsState *reds;

More information about the Spice-commits mailing list