[Spice-devel] [PATCH 00/19] CVE-2015-5260 and CVE-2015-5261 related fixes
fziglio at redhat.com
Tue Oct 6 03:25:44 PDT 2015
http://openwall.com/lists/oss-security/2015/10/06/4 for some
details on the security problems discovered.
These patches were already be sended to different distribution
and updates are available for RedHat products (and perhaps others).
First two patches contains additional checks for accessing surfaces
array in RedWorker structure (see server/red_worker.c).
The other patches group up similar issues related to races between host
and guest and some structure checking.
Some of these missing checks allow quite easily to read/write large
arbitrary memory ranges in the host.
Frediano Ziglio (19):
worker: validate correctly surfaces
worker: avoid double free or double create of surfaces
Define a constant to limit data from guest.
Fix some integer overflow causing large memory allocations
Check properly surface to be created
Fix buffer reading overflow
Prevent 32 bit integer overflow in bitmap_consistent
Fix race condition on red_get_clip_rects
Fix race in red_get_image
Fix race condition in red_get_string
Fix integer overflow computing glyph_size in red_get_string
Fix race condition in red_get_data_chunks_ptr
Prevent memory leak if red_get_data_chunks_ptr fails
Prevent DoS from guest trying to allocate too much data on host for
Fix some possible overflows in red_get_string for 32 bit
Make sure we can read QXLPathSeg structures
Avoid race condition copying segments in red_get_path
Prevent data_size to be set independently from data
Prevent leak if size from red_get_data_chunks don't match in
server/red_parse_qxl.c | 218 ++++++++++++++++++++++++++++++++++++++-----------
server/red_worker.c | 42 ++++++----
2 files changed, 196 insertions(+), 64 deletions(-)
More information about the Spice-devel