[Spice-commits] 3 commits - server/reds.c

Christophe Fergau teuf at kemper.freedesktop.org
Tue Jul 11 09:10:38 UTC 2017 

 server/reds.c |   35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

New commits:
commit fbbcdad773e2791cfb988f4748faa41943551ca6
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Mon May 15 15:57:28 2017 +0100

    reds: Avoid buffer overflows handling monitor configuration
    
    It was also possible for a malicious client to set
    VDAgentMonitorsConfig::num_of_monitors to a number larger
    than the actual size of VDAgentMOnitorsConfig::monitors.
    This would lead to buffer overflows, which could allow the guest to
    read part of the host memory. This might cause write overflows in the
    host as well, but controlling the content of such buffers seems
    complicated.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/reds.c b/server/reds.c
index 656f518f..034cd10d 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1112,6 +1112,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
     VDAgentMessage *msg_header;
     VDAgentMonitorsConfig *monitors_config;
     SpiceBuffer *cmc = &reds->client_monitors_config;
+    uint32_t max_monitors;
 
     // limit size of message sent by the client as this can cause a DoS through
     // memory exhaustion, or potentially some integer overflows
@@ -1135,6 +1136,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
         goto overflow;
     }
     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+    // limit the monitor number to avoid buffer overflows
+    max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
+                   sizeof(VDAgentMonConfig);
+    if (monitors_config->num_of_monitors > max_monitors) {
+        goto overflow;
+    }
     spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors);
     reds_client_monitors_config(reds, monitors_config);
     spice_buffer_free(cmc);
commit 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Mon May 15 15:57:28 2017 +0100

    reds: Avoid integer overflows handling monitor configuration
    
    Avoid VDAgentMessage::size integer overflows.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/reds.c b/server/reds.c
index ec2b6f47..656f518f 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
         spice_debug("not enough data yet. %zd", cmc->offset);
         return;
     }
+    if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
+        goto overflow;
+    }
     monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
     spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors);
     reds_client_monitors_config(reds, monitors_config);
commit 111ab38611cef5012f1565a65fa2d8a8a05cce37
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Mon May 15 15:57:28 2017 +0100

    reds: Disconnect when receiving overly big ClientMonitorsConfig
    
    Total message size received from the client was unlimited. There is
    a 2kiB size check on individual agent messages, but the MonitorsConfig
    message can be split in multiple chunks, and the size of the
    non-chunked MonitorsConfig message was never checked. This could easily
    lead to memory exhaustion on the host.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/server/reds.c b/server/reds.c
index 4aeac9a5..ec2b6f47 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1105,14 +1105,29 @@ void reds_release_agent_data_buffer(RedsState *reds, uint8_t *buf)
 static void reds_on_main_agent_monitors_config(RedsState *reds,
         MainChannelClient *mcc, const void *message, size_t size)
 {
+    const unsigned int MAX_MONITORS = 256;
+    const unsigned int MAX_MONITOR_CONFIG_SIZE =
+       sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
+
     VDAgentMessage *msg_header;
     VDAgentMonitorsConfig *monitors_config;
     SpiceBuffer *cmc = &reds->client_monitors_config;
 
+    // limit size of message sent by the client as this can cause a DoS through
+    // memory exhaustion, or potentially some integer overflows
+    if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->offset < size) {
+        goto overflow;
+    }
     spice_buffer_append(cmc, message, size);
+    if (sizeof(VDAgentMessage) > cmc->offset) {
+        spice_debug("not enough data yet. %zd", cmc->offset);
+        return;
+    }
     msg_header = (VDAgentMessage *)cmc->buffer;
-    if (sizeof(VDAgentMessage) > cmc->offset ||
-            msg_header->size > cmc->offset - sizeof(VDAgentMessage)) {
+    if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
+        goto overflow;
+    }
+    if (msg_header->size > cmc->offset - sizeof(VDAgentMessage)) {
         spice_debug("not enough data yet. %zd", cmc->offset);
         return;
     }
@@ -1120,6 +1135,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds,
     spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors);
     reds_client_monitors_config(reds, monitors_config);
     spice_buffer_free(cmc);
+    return;
+
+overflow:
+    spice_warning("received invalid MonitorsConfig request from client, disconnecting");
+    red_channel_client_disconnect(RED_CHANNEL_CLIENT(mcc));
+    spice_buffer_free(cmc);
 }
 
 void reds_on_main_agent_data(RedsState *reds, MainChannelClient *mcc, const void *message,

More information about the Spice-commits mailing list