[Spice-devel] [PATCH 00/19] CVE-2015-5260 and CVE-2015-5261 related fixes

Frediano Ziglio fziglio at redhat.com
Tue Oct 6 03:25:44 PDT 2015

See https://access.redhat.com/security/cve/CVE-2015-5260,
https://access.redhat.com/security/cve/CVE-2015-5261 and
http://openwall.com/lists/oss-security/2015/10/06/4 for some
details on the security problems discovered.

These patches were already be sended to different distribution
and updates are available for RedHat products (and perhaps others).

First two patches contains additional checks for accessing surfaces
array in RedWorker structure (see server/red_worker.c).

The other patches group up similar issues related to races between host
and guest and some structure checking.
Some of these missing checks allow quite easily to read/write large
arbitrary memory ranges in the host.

Frediano Ziglio (19):
  worker: validate correctly surfaces
  worker: avoid double free or double create of surfaces
  Define a constant to limit data from guest.
  Fix some integer overflow causing large memory allocations
  Check properly surface to be created
  Fix buffer reading overflow
  Prevent 32 bit integer overflow in bitmap_consistent
  Fix race condition on red_get_clip_rects
  Fix race in red_get_image
  Fix race condition in red_get_string
  Fix integer overflow computing glyph_size in red_get_string
  Fix race condition in red_get_data_chunks_ptr
  Prevent memory leak if red_get_data_chunks_ptr fails
  Prevent DoS from guest trying to allocate too much data on host for
  Fix some possible overflows in red_get_string for 32 bit
  Make sure we can read QXLPathSeg structures
  Avoid race condition copying segments in red_get_path
  Prevent data_size to be set independently from data
  Prevent leak if size from red_get_data_chunks don't match in

 server/red_parse_qxl.c | 218 ++++++++++++++++++++++++++++++++++++++-----------
 server/red_worker.c    |  42 ++++++----
 2 files changed, 196 insertions(+), 64 deletions(-)


More information about the Spice-devel mailing list