[Spice-devel] [PATCH spice-common v2 2/3] Write a small test to test possible crash

Frediano Ziglio fziglio at redhat.com
Fri May 11 07:39:49 UTC 2018


This small test prove a that current generated demarshaller code
is not safe to integer overflows leading to buffer overflows.
Actually from a quick look at the protocol it seems that client
can't cause these overflows but server can quite easily at
demonstrated by this test.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 tests/Makefile.am     | 14 +++++++
 tests/test-overflow.c | 86 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)
 create mode 100644 tests/test-overflow.c

Changes since last version:
- extend a comment;
- use SPICE_CHANNEL_MAIN mnemonic instead of 1.

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 5abf239..d5ec1d7 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -67,4 +67,18 @@ EXTRA_DIST =				\
 	test-marshallers.proto		\
 	$(NULL)
 
+TESTS += test_overflow
+test_overflow_SOURCES = test-overflow.c
+test_overflow_CFLAGS = \
+	-I$(top_srcdir) \
+	$(GLIB2_CFLAGS) \
+	$(SPICE_COMMON_CFLAGS) \
+	$(PROTOCOL_CFLAGS) \
+	$(NULL)
+test_overflow_LDADD = \
+	$(top_builddir)/common/libspice-common.la \
+	$(top_builddir)/common/libspice-common-server.la \
+	$(top_builddir)/common/libspice-common-client.la \
+	$(NULL)
+
 -include $(top_srcdir)/git.mk
diff --git a/tests/test-overflow.c b/tests/test-overflow.c
new file mode 100644
index 0000000..0a5bdd2
--- /dev/null
+++ b/tests/test-overflow.c
@@ -0,0 +1,86 @@
+/*
+   Copyright (C) 2015 Red Hat, Inc.
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include <spice/enums.h>
+#include <common/marshaller.h>
+#include <common/generated_server_marshallers.h>
+#include <common/client_demarshallers.h>
+
+#define NUM_CHANNELS 3u
+
+int main(void)
+{
+    SpiceMarshaller *m;
+    SpiceMsgChannels *msg;
+    uint8_t *data, *out;
+    size_t len;
+    int to_free = 0;
+    spice_parse_channel_func_t func;
+    unsigned int max_message_type, n;
+    message_destructor_t free_output;
+
+    m = spice_marshaller_new();
+    assert(m);
+
+    msg = (SpiceMsgChannels *) malloc(sizeof(SpiceMsgChannels) +
+          NUM_CHANNELS * sizeof(SpiceChannelId));
+    assert(msg);
+
+    // build a message and marshal it
+    msg->num_of_channels = NUM_CHANNELS;
+    for (n = 0; n < NUM_CHANNELS; ++n) {
+        msg->channels[n] = (SpiceChannelId) { n + 1, n * 7 };
+    }
+    spice_marshall_msg_main_channels_list(m, msg);
+
+    // get linear data
+    data = spice_marshaller_linearize(m, 0, &len, &to_free);
+    assert(data);
+
+    printf("output len %lu\n", (unsigned long) len);
+
+    // hack: setting the number of channels in the marshalled message to a
+    // value that will cause overflow while parsing the message to make sure
+    // that the parser can handle this situation
+    *((uint32_t *) data) = 0x80000002u;
+
+    // extract the message
+    func = spice_get_server_channel_parser(SPICE_CHANNEL_MAIN, &max_message_type);
+    assert(func);
+    out = func(data, data+len, SPICE_MSG_MAIN_CHANNELS_LIST, 0, &len, &free_output);
+    assert(out == NULL);
+
+    // cleanup
+    if (to_free) {
+        free(data);
+    }
+    if (out) {
+        free_output(out);
+    }
+    free(msg);
+
+    return 0;
+}
+
-- 
2.17.0



More information about the Spice-devel mailing list