[Spice-devel] [PATCH] Prevent possible buffer overflow in SpiceKbdState

Uri Lublin uril at redhat.com
Mon Aug 1 11:50:44 UTC 2016


On 08/01/2016 02:01 PM, Frediano Ziglio wrote:
> key and key_ext in SpiceKbdState are indexed using
>
>    state[scan & 0x7f]
>
> where scan is a 8 bit value got from client. In theory client can send
> any value causing scan & 0x7f to be 0x7f. However these arrays contains
> only 0x7f values so 0x7f cause a off one overflow.
> This potentially cause key_ext to overflow in reds pointer following.
> Happily this is not exploitable in either 32 or 64 bit environment.
> On 64 bit key_ext is followed by a 4 byte (sizeof(bool) == 4) padding
> which is written by the possible overflow.
> On 32 bit reds will be overwritten with either 0 or 1 which will cause
> a SIGSEGV leading to a DoS. Considering that you have to have access
> to the machine with a client you are just shutting down only guests you
> can access to.

Ack,

Uri.

>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  server/inputs-channel.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/server/inputs-channel.c b/server/inputs-channel.c
> index e91f7e1..8f0a206 100644
> --- a/server/inputs-channel.c
> +++ b/server/inputs-channel.c
> @@ -60,8 +60,8 @@ struct SpiceKbdState {
>      bool push_ext;
>
>      /* track key press state */
> -    bool key[0x7f];
> -    bool key_ext[0x7f];
> +    bool key[0x80];
> +    bool key_ext[0x80];
>      RedsState *reds;
>  };
>
>



More information about the Spice-devel mailing list