[Spice-devel] [PATCH 00/19] CVE-2015-5260 and CVE-2015-5261 related fixes
Frediano Ziglio
fziglio at redhat.com
Tue Oct 6 03:38:06 PDT 2015
>
> See https://access.redhat.com/security/cve/CVE-2015-5260,
> https://access.redhat.com/security/cve/CVE-2015-5261 and
> http://openwall.com/lists/oss-security/2015/10/06/4 for some
> details on the security problems discovered.
>
> These patches were already be sended to different distribution
> and updates are available for RedHat products (and perhaps others).
>
> First two patches contains additional checks for accessing surfaces
> array in RedWorker structure (see server/red_worker.c).
>
> The other patches group up similar issues related to races between host
> and guest and some structure checking.
> Some of these missing checks allow quite easily to read/write large
> arbitrary memory ranges in the host.
>
These patches were reviewed internally and are already pushed.
Frediano
> Frediano Ziglio (19):
> worker: validate correctly surfaces
> worker: avoid double free or double create of surfaces
> Define a constant to limit data from guest.
> Fix some integer overflow causing large memory allocations
> Check properly surface to be created
> Fix buffer reading overflow
> Prevent 32 bit integer overflow in bitmap_consistent
> Fix race condition on red_get_clip_rects
> Fix race in red_get_image
> Fix race condition in red_get_string
> Fix integer overflow computing glyph_size in red_get_string
> Fix race condition in red_get_data_chunks_ptr
> Prevent memory leak if red_get_data_chunks_ptr fails
> Prevent DoS from guest trying to allocate too much data on host for
> chunks
> Fix some possible overflows in red_get_string for 32 bit
> Make sure we can read QXLPathSeg structures
> Avoid race condition copying segments in red_get_path
> Prevent data_size to be set independently from data
> Prevent leak if size from red_get_data_chunks don't match in
> red_get_image
>
> server/red_parse_qxl.c | 218
> ++++++++++++++++++++++++++++++++++++++-----------
> server/red_worker.c | 42 ++++++----
> 2 files changed, 196 insertions(+), 64 deletions(-)
>
> --
> 2.4.3
>
>
More information about the Spice-devel
mailing list