[Spice-commits] src/channel-main.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Fri Jan 10 09:45:40 UTC 2020 

 src/channel-main.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit f851db2299e2b96970934b9ee5d1bdc119aa7e9a
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Mon Dec 2 13:07:46 2019 +0000

    channel-main: Fix possible crash on Windows
    
    agent_msg_queue_many is a variadic function reading parameters
    after the third using va_arg.
    Specifically it read sizes of buffers using the "gsize" type.
    On x64 for Windows platform only first 4 argument of
    agent_msg_queue_many are passed by registers while the rest is
    passed on the stack. So the size is written in the stack.
    On x64 gsize is 64 bit while data_size in
    file_xfer_queue_msg_to_agent is an int which is 32 bit.
    So in some cases when data_size is stored in the stack in order
    to call agent_msg_queue_many from file_xfer_queue_msg_to_agent
    the compiler will write only 32 bit, like for instance with:
    
       mov %ebx,0x28(%rsp)
    
    The problem is that agent_msg_queue_many will use "va_arg(args, gsize)"
    reading 64 bit instead of 32. In this case the lower 32 bit
    part will be the "data_size" but the higher 32 bit part will be the
    previous content of the stack, basically garbage.
    This will cause the read size to be a huge value and program will
    crash.
    
    This could not be exploited the operation will lead to only read
    extra bytes and then crash.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>

diff --git a/src/channel-main.c b/src/channel-main.c
index 4305dcd..bf941d6 100644
--- a/src/channel-main.c
+++ b/src/channel-main.c
@@ -1074,7 +1074,7 @@ static void monitors_align(VDAgentMonConfig *monitors, int nmonitors)
 
 
 #define agent_msg_queue(Channel, Type, Size, Data) \
-    agent_msg_queue_many((Channel), (Type), (Data), (Size), NULL)
+    agent_msg_queue_many((Channel), (Type), (Data), (gsize)(Size), NULL)
 
 /**
  * spice_main_send_monitor_config:
@@ -1825,7 +1825,7 @@ static void file_xfer_queue_msg_to_agent(SpiceMainChannel *channel,
     msg.size = data_size;
     agent_msg_queue_many(channel, VD_AGENT_FILE_XFER_DATA,
                          &msg, sizeof(msg),
-                         buffer, data_size, NULL);
+                         buffer, (gsize) data_size, NULL);
     spice_channel_wakeup(SPICE_CHANNEL(channel), FALSE);
 }

More information about the Spice-commits mailing list