[Spice-devel] [PATCH spice-common 0/6] Multiple buffer overflow vulnerabilities in QUIC decoding code

Frediano Ziglio fziglio at redhat.com
Tue Oct 6 12:08:55 UTC 2020 

From: Frediano Ziglio <freddy77 at gmail.com>

The patches on this series are addressing CVE-2020-14355.

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding
process of the SPICE remote display system. More specifically, these flaws
reside in the spice-common shared code between the client and server of SPICE.
In other words, both the client (spice-gtk) and server are affected by these
flaws. A malicious client or server could send specially crafted messages
which could result in a process crash or potential code execution scenario.

* One issue leading to controlled writing overflow is due to the 'width *
   height' integer overflow. Using this overflow an attacker could cause small
   allocation and control the data using compressed data. Note that using the
   check for input data the attacker can avoid the crash filling the whole
   needed buffer.  ("quic: Check image size in quic_decode_begin" patch).

* Another controlled write could be achieved using the RLE decode which is
   done line by line, in theory with former lines writing more bytes in order
   to build the desired buffer content after the allocated buffer. ("quic:
   Check RLE lengths" patch).

* The "quic: Avoid possible buffer overflow in find_bucket" is a read buffer
   overflow which will dereference an invalid pointer mainly causing a crash.


* Embargo date+time: Tue, 06 Oct 2020, 12:00 hrs. UTC.

Frediano Ziglio (6):
  quic: Check we have some data to start decoding quic image
  quic: Check image size in quic_decode_begin
  quic: Check RLE lengths
  quic: Avoid possible buffer overflow in find_bucket
  test-quic: Add fuzzer capabilities to the test
  test-quic: Add test cases for quic fuzzer

 common/quic.c                          |  15 +++++++-
 common/quic_family_tmpl.c              |   7 +++-
 common/quic_tmpl.c                     |   6 ++-
 tests/fuzzer-quic-testcases/test1.quic | Bin 0 -> 4292 bytes
 tests/fuzzer-quic-testcases/test2.quic | Bin 0 -> 2808 bytes
 tests/fuzzer-quic-testcases/test3.quic | Bin 0 -> 2556 bytes
 tests/fuzzer-quic-testcases/test4.quic | Bin 0 -> 30892 bytes
 tests/test-quic.c                      |  51 ++++++++++++++++++++++++-
 8 files changed, 75 insertions(+), 4 deletions(-)
 create mode 100644 tests/fuzzer-quic-testcases/test1.quic
 create mode 100644 tests/fuzzer-quic-testcases/test2.quic
 create mode 100644 tests/fuzzer-quic-testcases/test3.quic
 create mode 100644 tests/fuzzer-quic-testcases/test4.quic

-- 
2.26.2

More information about the Spice-devel mailing list