[Spice-devel] [PATCH 00/19] CVE-2015-5260 and CVE-2015-5261 related fixes

Frediano Ziglio fziglio at redhat.com
Tue Oct 6 03:38:06 PDT 2015 

> 
> See https://access.redhat.com/security/cve/CVE-2015-5260,
> https://access.redhat.com/security/cve/CVE-2015-5261 and
> http://openwall.com/lists/oss-security/2015/10/06/4 for some
> details on the security problems discovered.
> 
> These patches were already be sended to different distribution
> and updates are available for RedHat products (and perhaps others).
> 
> First two patches contains additional checks for accessing surfaces
> array in RedWorker structure (see server/red_worker.c).
> 
> The other patches group up similar issues related to races between host
> and guest and some structure checking.
> Some of these missing checks allow quite easily to read/write large
> arbitrary memory ranges in the host.
> 

These patches were reviewed internally and are already pushed.

Frediano

> Frediano Ziglio (19):
>   worker: validate correctly surfaces
>   worker: avoid double free or double create of surfaces
>   Define a constant to limit data from guest.
>   Fix some integer overflow causing large memory allocations
>   Check properly surface to be created
>   Fix buffer reading overflow
>   Prevent 32 bit integer overflow in bitmap_consistent
>   Fix race condition on red_get_clip_rects
>   Fix race in red_get_image
>   Fix race condition in red_get_string
>   Fix integer overflow computing glyph_size in red_get_string
>   Fix race condition in red_get_data_chunks_ptr
>   Prevent memory leak if red_get_data_chunks_ptr fails
>   Prevent DoS from guest trying to allocate too much data on host for
>     chunks
>   Fix some possible overflows in red_get_string for 32 bit
>   Make sure we can read QXLPathSeg structures
>   Avoid race condition copying segments in red_get_path
>   Prevent data_size to be set independently from data
>   Prevent leak if size from red_get_data_chunks don't match in
>     red_get_image
> 
>  server/red_parse_qxl.c | 218
>  ++++++++++++++++++++++++++++++++++++++-----------
>  server/red_worker.c    |  42 ++++++----
>  2 files changed, 196 insertions(+), 64 deletions(-)
> 
> --
> 2.4.3
> 
>

More information about the Spice-devel mailing list