pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 07:29:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6b32af3e17
spice/server
History
Marc-André Lureau 6b32af3e17 smartcard: allocate msg with the expected size 
This is related to CVE-2016-0749

==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0
WRITE of size 4 at 0x60040009c098 thread T0
    #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334
    #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
    #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
    #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
    #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
    #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
    #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098)
allocated by thread T0 here:
    #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92
    #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123
    #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516
    #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557
    #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325
    #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642
    #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757
    #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304
    #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322
    #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561
    #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
2016-07-08 10:47:38 +02:00
..
tests Constify event_loop_core 2016-06-29 08:08:54 +01:00
.gitignore Update the .gitignore files for the new manual, 2015-10-16 15:48:23 -05:00
agent-msg-filter.c AgentMsgFilter: use typedef 2016-05-24 17:46:05 +01:00
agent-msg-filter.h AgentMsgFilter: use typedef 2016-05-24 17:46:05 +01:00
cache-item.h Move RedCacheItem size field inside cache_data union 2016-05-25 09:53:57 +01:00
cache-item.tmpl.c Remove unused macro definitions 2016-05-25 09:54:03 +01:00
char-device.c char-device: fix mismatch of client tokens 2016-06-07 18:06:31 +01:00
char-device.h Remove obsolete comment 2016-06-01 16:21:07 +01:00
cursor-channel.c Move upcast conversion to a safer place 2016-05-27 09:41:01 +01:00
cursor-channel.h Add some comments to cursor-channel.h header 2016-05-27 09:32:58 +01:00
dcc-send.c Encapsulate code to save glz state 2016-06-15 08:43:45 +01:00
dcc.c Remove dependency from dcc-encoders to Drawable 2016-06-17 10:57:05 +01:00
dcc.h Rename dcc-encoders.[ch] to image-encoders.[ch] 2016-06-17 15:28:30 +01:00
demarshallers.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
dispatcher.c Fix compiling with defined DEBUG_DISPATCHER 2016-07-01 13:59:36 +02:00
dispatcher.h unify header include order 2016-05-12 11:02:54 +01:00
display-channel.c Use new GlzImageRetention instead of accessing Drawable internals 2016-06-17 10:57:00 +01:00
display-channel.h Use new GlzImageRetention instead of accessing Drawable internals 2016-06-17 10:57:00 +01:00
display-limits.h worker: start a DisplayChannelClient unit 2015-11-19 12:43:02 +00:00
event-loop.c Constify event_loop_core 2016-06-29 08:08:54 +01:00
glz-encode-match.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
glz-encode.tmpl.c Fix -Werror=format with DEBUG_ENCODE 2016-07-01 14:00:37 +02:00
glz-encoder-dict.c remove glz_encoder_config.h 2015-12-04 11:57:18 +00:00
glz-encoder-dict.h remove glz_encoder_config.h 2015-12-04 11:57:18 +00:00
glz-encoder-priv.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
glz-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
glz-encoder.h unify header include order 2016-05-12 11:02:54 +01:00
gstreamer-encoder.c streaming: Add support for GStreamer 0.10 2016-06-14 17:04:40 +02:00
image-cache.c Make some function static 2016-05-25 15:41:58 +01:00
image-cache.h Make some function static 2016-05-25 15:41:58 +01:00
image-encoders.c Make RedGlzDrawable typedef private 2016-06-17 20:59:19 +01:00
image-encoders.h Use proper types in compress_send_data_t 2016-06-20 21:51:06 +01:00
inputs-channel-client.c Avoid getting channel from client 2016-05-27 18:02:29 +01:00
inputs-channel-client.h Move InputsChannelClient to a separate file 2016-05-24 14:56:41 -05:00
inputs-channel.c Avoid getting channel from client 2016-05-27 18:02:29 +01:00
inputs-channel.h Avoid getting channel from client 2016-05-27 18:02:29 +01:00
jpeg-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
jpeg-encoder.h server: rename files 2015-12-03 23:54:32 +00:00
lz4-encoder.c Move lz4-encoder.[ch] to conditional block in Makefile.am 2016-06-16 11:16:01 -03:00
lz4-encoder.h server: rename files 2015-12-03 23:54:32 +00:00
main-channel-client.c channel: Remove clients_num and use g_list_length 2016-06-01 16:56:16 +01:00
main-channel-client.h move all item creation in main-channel-client.c 2016-05-24 13:41:08 -05:00
main-channel.c channel: Remove clients_num and use g_list_length 2016-06-01 16:56:16 +01:00
main-channel.h Move MainChannelClient to separate file 2016-05-20 09:16:47 -05:00
main-dispatcher.c Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
main-dispatcher.h unify header include order 2016-05-12 11:02:54 +01:00
Makefile.am Rename dcc-encoders.[ch] to image-encoders.[ch] 2016-06-17 15:28:30 +01:00
memslot.c memslot: do not crash if guest provide a wrong address 2016-02-18 10:36:26 +00:00
memslot.h unify header include order 2016-05-12 11:02:54 +01:00
migration-protocol.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
mjpeg-encoder.c streaming: Avoid copying the input frame in the GStreamer encoder 2016-06-14 17:04:40 +02:00
pixmap-cache.c Introduce SPICE_UPCAST macro 2016-05-24 18:00:51 +01:00
pixmap-cache.h server: rename files 2015-12-03 23:54:32 +00:00
red-channel.c Fix missing prototypes 2016-06-15 15:02:42 +01:00
red-channel.h channel: Remove clients_num and use g_list_length 2016-06-01 16:56:16 +01:00
red-common.h Constify event_loop_core 2016-06-29 08:08:54 +01:00
red-parse-qxl.c factor out red_validate_surface function to validate surface parameters 2016-06-08 09:59:31 +01:00
red-parse-qxl.h factor out red_validate_surface function to validate surface parameters 2016-06-08 09:59:31 +01:00
red-pipe-item.c make red_pipe_item_unref more typesafe 2016-05-21 04:11:12 +01:00
red-pipe-item.h make red_pipe_item_unref more typesafe 2016-05-21 04:11:12 +01:00
red-qxl.c streaming: Let the administrator pick the video encoder and codec 2016-06-14 17:04:40 +02:00
red-qxl.h streaming: Let the administrator pick the video encoder and codec 2016-06-14 17:04:40 +02:00
red-record-qxl.c record: Use proper type for timestamp 2016-06-08 15:27:48 +01:00
red-record-qxl.h record: Use proper type for timestamp 2016-06-08 15:27:48 +01:00
red-replay-qxl.c replay: Load cursor commands 2016-06-06 09:29:12 +01:00
red-replay-qxl.h unify header include order 2016-05-12 11:02:54 +01:00
red-worker.c Rename encoder_globals to encoder_shared_data 2016-06-16 21:02:54 +01:00
red-worker.h Replace RedChannel::clients with GList 2016-05-24 14:56:45 -05:00
reds-private.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
reds-stream.c use #include<> style for spice-common header inclusions. 2016-05-09 12:45:27 +01:00
reds-stream.h unify header include order 2016-05-12 11:02:54 +01:00
reds.c Constify spice_server_char_device_recognized_subtypes 2016-06-29 08:09:03 +01:00
reds.h streaming: Let the administrator pick the video encoder and codec 2016-06-14 17:04:40 +02:00
smartcard.c smartcard: allocate msg with the expected size 2016-07-08 10:47:38 +02:00
smartcard.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
sound.c use #include<> style for spice-common header inclusions. 2016-05-09 12:45:27 +01:00
sound.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
spice-audio.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-bitmap-utils.c do not compile dump_bitmap if not necessary 2016-03-24 13:11:46 +00:00
spice-bitmap-utils.h server: misc header cleanups 2015-12-09 22:17:51 +00:00
spice-bitmap-utils.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
spice-char.h Constify spice_server_char_device_recognized_subtypes 2016-06-29 08:09:03 +01:00
spice-core.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-experimental.h Add missing license headers 2015-10-19 14:25:36 +02:00
spice-input.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-migration.h spice-migration.h: un-deprecate set_seamless_migration() 2016-05-12 06:34:11 +01:00
spice-qxl.h Add new spice-gl stubs API 2016-02-09 14:01:12 +00:00
spice-server.h streaming: Let the administrator pick the video encoder and codec 2016-06-14 17:04:40 +02:00
spice-server.syms streaming: Let the administrator pick the video encoder and codec 2016-06-14 17:04:40 +02:00
spice-version.h.in build-sys: generate spice-version.h 2014-11-27 14:27:33 +01:00
spice.h Split spice.h 2014-11-27 14:27:18 +01:00
spicevmc.c Fix set but not used variable warning 2016-06-16 08:29:39 -03:00
stat.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00
stream.c Fix missing prototypes 2016-06-15 15:02:42 +01:00
stream.h Do not force computing streaming statistic 2016-07-01 14:00:32 +02:00
sw-canvas.c remove sw-canvas.h 2016-05-09 12:45:37 +01:00
tree.c Get code more typesafe 2016-05-21 04:14:13 +01:00
tree.h Introduce SPICE_UPCAST macro 2016-05-24 18:00:51 +01:00
utils.c worker: move dcc_add_surface_area_image 2015-11-23 13:50:44 +00:00
utils.h server: Add time constants to go with spice_get_monotonic_time_ms() 2015-12-14 11:24:47 +00:00
video-encoder.h Make video-encoder.h self independent 2016-06-16 14:14:04 +01:00
zlib-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
zlib-encoder.h Make sure all headers are independent 2016-05-18 00:24:37 +01:00