pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 07:29:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a4a16ac42d
spice/server
History
Christophe Fergeau a4a16ac42d memslot: Fix off-by-one error in group/slot boundary check 
RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.

For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.

The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.

This patch fixes the arrays bound check, and adds a test case for this.
This fixes CVE-2019-3813.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
2019-02-05 14:05:49 +01:00
..
tests memslot: Fix off-by-one error in group/slot boundary check 2019-02-05 14:05:49 +01:00
.gitignore gitignore: Reuse top-level gitignore 2016-12-14 19:09:21 +00:00
agent-msg-filter.c Replace remaining spice_printerr() with g_warning() 2018-06-28 13:21:48 +01:00
agent-msg-filter.h Unify header guards 2017-03-30 18:17:20 +01:00
cache-item.h Unify header guards 2017-03-30 18:17:20 +01:00
cache-item.tmpl.c red-pipe-item: Use GLib memory functions 2017-10-11 12:52:17 +01:00
char-device.c char-device: Remove initial underscores from __red_char_device_write_buffer_get 2018-11-08 10:22:17 +00:00
char-device.h char-device: separate functions to get write buffer for client and server 2018-11-08 08:08:28 +00:00
common-graphics-channel.c common-graphics-channel: Use manual flushing on stream to decrease packet fragmentation 2018-04-17 15:45:39 +01:00
common-graphics-channel.h common-graphics-channel: Move "qxl" property to DisplayChannel 2017-09-07 06:42:01 +01:00
cursor-channel-client.c Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
cursor-channel-client.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
cursor-channel.c qxl: Add red_cursor_cmd_{new, ref, unref} helpers 2018-12-06 13:03:36 +00:00
cursor-channel.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
dcc-private.h Rename StreamAgent to VideoStreamAgent 2017-11-30 11:51:09 -06:00
dcc-send.c Rename SpiceHead::id to monitor_id in the protocol 2018-07-18 08:17:13 +01:00
dcc.c dcc: Add debug log when setting compression 2018-11-26 13:03:00 +00:00
dcc.h Use "base" as pipe item base field name 2018-06-18 13:40:51 +01:00
dispatcher.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
dispatcher.h Add possibly missing headers for pthread.h 2018-06-26 10:54:01 +01:00
display-channel-private.h display-channel: Store full RedSurfaceCmd, not just QXLReleaseInfoExt 2018-12-06 13:04:00 +00:00
display-channel.c qxl: Release QXL resources in red_put_surface_cmd 2018-12-06 13:04:03 +00:00
display-channel.h display-channel: Remove unused includes 2019-01-30 15:44:47 +00:00
display-limits.h Receive the GraphicsDeviceInfo message from the streaming agent 2019-01-29 15:46:54 +01:00
event-loop.c event-loop: Port to Windows 2019-01-31 11:06:37 +00:00
glib-compat.h Use verify instead of G_STATIC_ASSERT 2017-12-01 22:49:46 +00:00
glz-encode-match.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
glz-encode.tmpl.c glz: Inline GET_{r,g,b} macros 2018-06-27 16:46:52 +01:00
glz-encoder-dict.c glz-encoder-dict: Remove a warning compiling with CentOS 7 2018-07-11 10:22:36 +01:00
glz-encoder-dict.h Make various functions static 2017-04-05 12:39:20 +02:00
glz-encoder-priv.h Unify header guards 2017-03-30 18:17:20 +01:00
glz-encoder.c glz-encoder: Avoid double byte swap sending image magic 2018-06-05 14:13:27 +01:00
glz-encoder.h Unify header guards 2017-03-30 18:17:20 +01:00
gstreamer-encoder.c gstreamer-encoder: Use GLib memory functions 2017-10-11 12:52:17 +01:00
image-cache.c Use constant variables for image operations 2017-11-08 15:23:49 +00:00
image-cache.h Unify header guards 2017-03-30 18:17:20 +01:00
image-encoders.c image-encoders: Initialize Zlib lazily 2019-01-30 13:07:32 +00:00
image-encoders.h Add possibly missing headers for pthread.h 2018-06-26 10:54:01 +01:00
inputs-channel-client.c Replace spice_printerr() use with red_channel_{debug, warning} 2018-06-28 13:21:46 +01:00
inputs-channel-client.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
inputs-channel.c Reuse SPICE_UPCAST instead of SPICE_CONTAINEROF where possible 2019-01-17 16:34:23 +00:00
inputs-channel.h inputs-channel: Move spice_server_kbd_leds to InputsChannel 2017-12-19 16:29:41 +00:00
jpeg-encoder.c jpeg-encoder: Remove JPEG_IMAGE_TYPE_RGB24 2018-06-26 18:06:50 +01:00
jpeg-encoder.h jpeg-encoder: Remove JPEG_IMAGE_TYPE_RGB24 2018-06-26 18:06:50 +01:00
lz4-encoder.c red-replay-qxl: Remove useless end of line 2018-11-16 10:17:32 +00:00
lz4-encoder.h Unify header guards 2017-03-30 18:17:20 +01:00
main-channel-client.c utils: Get monotonic time in a coherent way 2018-10-09 15:34:10 +01:00
main-channel-client.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
main-channel.c Replace spice_printerr() use with red_channel_{debug, warning} 2018-06-28 13:21:46 +01:00
main-channel.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
main-dispatcher.c MainDispatcher: use correct argument type 2017-09-07 10:22:15 -05:00
main-dispatcher.h Unify header guards 2017-03-30 18:17:20 +01:00
Makefile.am Use new common demarshallers.h 2018-10-15 13:39:10 +01:00
memslot.c memslot: Fix off-by-one error in group/slot boundary check 2019-02-05 14:05:49 +01:00
memslot.h memslot: Remove error parameter from memslot_get_virt 2018-07-03 12:23:54 +01:00
meson.build Use new common demarshallers.h 2018-10-15 13:39:10 +01:00
migration-protocol.h Unify header guards 2017-03-30 18:17:20 +01:00
mjpeg-encoder.c mjpeg-encoder: Fix some typos 2017-11-29 11:17:21 +00:00
net-utils.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
net-utils.h reds-stream: Introduce reds_stream_get_no_delay() helper 2017-03-31 12:22:52 +02:00
pixmap-cache.c pixmap-cache: Use GLib memory functions 2017-10-11 12:52:17 +01:00
pixmap-cache.h Unify header guards 2017-03-30 18:17:20 +01:00
red-channel-capabilities.c Remove common/mem.h includes 2017-11-21 08:27:09 +00:00
red-channel-capabilities.h Unify header guards 2017-03-30 18:17:20 +01:00
red-channel-client.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
red-channel-client.h Reuse SPICE_DECLARE_TYPE macro 2017-11-21 08:38:44 +00:00
red-channel.c channel: Remove unused 3rd red_channel_register_client_cbs() arg 2018-06-21 17:54:27 +01:00
red-channel.h Use new common demarshallers.h 2018-10-15 13:39:10 +01:00
red-client.c Remove unneeded spice_printerr() calls 2018-06-28 13:21:22 +01:00
red-client.h Reuse SPICE_DECLARE_TYPE macro 2017-11-21 08:38:44 +00:00
red-common.h build: Remove unneeded spice_common.h includes 2018-07-06 07:06:34 +01:00
red-parse-qxl.c qxl: Release QXL resources in red_put_surface_cmd 2018-12-06 13:04:03 +00:00
red-parse-qxl.h qxl: Release QXL resources in red_put_surface_cmd 2018-12-06 13:04:03 +00:00
red-pipe-item.c red-pipe-item: Use GLib memory functions 2017-10-11 12:52:17 +01:00
red-pipe-item.h red-pipe-item: Move typedef at the top to avoid a "struct RedPipeItem" 2017-12-19 16:28:17 +00:00
red-qxl.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
red-qxl.h Send the graphics device info to the vd_agent 2019-01-29 15:46:28 +01:00
red-record-qxl.c red-replay-qxl: Remove useless end of line 2018-11-16 10:17:32 +00:00
red-record-qxl.h red-record-qxl: Change license header to LGPLv2+ 2018-07-05 10:15:17 +02:00
red-replay-qxl.c red-replay-qxl: Use PRIxPTR constant for string formatting 2019-01-08 12:48:53 +00:00
red-stream-device.c red-stream-device: Constify stream_device_get_device_display_info result 2019-02-04 19:44:12 +00:00
red-stream-device.h red-stream-device: Constify stream_device_get_device_display_info result 2019-02-04 19:44:12 +00:00
red-stream.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
red-stream.h red-stream: Propagate RedStreamSslStatus type 2018-10-09 12:52:48 +01:00
red-worker.c display-channel: Remove unused includes 2019-01-30 15:44:47 +00:00
red-worker.h red-worker: Remove obsolete type definition 2019-01-23 21:22:37 +00:00
reds-private.h Send the graphics device info to the vd_agent 2019-01-29 15:46:28 +01:00
reds.c red-stream-device: Constify stream_device_get_device_display_info result 2019-02-04 19:44:12 +00:00
reds.h reds: Explicitly include inttypes.h 2019-01-31 10:49:54 +00:00
smartcard-channel-client.c smartcard: do not keep weak ref when device is NULL 2019-01-30 09:27:52 +00:00
smartcard-channel-client.h Use standard "Red" namespace 2017-10-21 08:47:02 +01:00
smartcard.c smartcard: set char device state 2018-12-03 17:02:09 +00:00
smartcard.h Reuse SPICE_DECLARE_TYPE macro 2017-11-21 08:38:44 +00:00
sound.c windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
sound.h Change playback_compression to bool type 2017-04-07 15:08:43 -05:00
spice-audio.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-bitmap-utils.c Attempt to create bitmap debug directory 2017-04-07 16:45:54 +01:00
spice-bitmap-utils.h Use verify instead of G_STATIC_ASSERT 2017-12-01 22:49:46 +00:00
spice-bitmap-utils.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
spice-char.h Constify spice_server_char_device_recognized_subtypes 2016-06-29 08:09:03 +01:00
spice-core.h windows: Do not include headers not available on Windows 2019-01-31 10:48:34 +00:00
spice-experimental.h Unify header guards 2017-03-30 18:17:20 +01:00
spice-input.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-migration.h server: Use SPICE_GNUC_DEPRECATED to avoid a dependency on glib.h 2016-08-12 09:47:40 +01:00
spice-qxl.h QXL interface: improve the spice_qxl_set_device_info documentation 2019-01-28 19:35:53 +00:00
spice-replay.h Unify header guards 2017-03-30 18:17:20 +01:00
spice-server-enums.c.tmpl build: Rename spice-server-enums.tmpl.[ch] to spice-server-enums.[ch].tmpl 2018-03-07 10:04:04 -03:00
spice-server-enums.h.tmpl build: Rename spice-server-enums.tmpl.[ch] to spice-server-enums.[ch].tmpl 2018-03-07 10:04:04 -03:00
spice-server.h Convert RedChannelClient hierarchy to GObject 2016-10-07 14:46:37 -05:00
spice-server.syms QXL interface: add a function to identify monitors in the guest 2019-01-26 09:40:10 +00:00
spice-version.h.in build-sys: generate spice-version.h 2014-11-27 14:27:33 +01:00
spice.h Make red-replay-qxl.h a public header 2016-11-10 06:37:15 +00:00
spicevmc.c char-device: separate functions to get write buffer for client and server 2018-11-08 08:08:28 +00:00
stat-file.c stat-file: Exit earlier to reduce indentation 2018-06-25 13:12:04 +01:00
stat-file.h Unify header guards 2017-03-30 18:17:20 +01:00
stat.h Unify header guards 2017-03-30 18:17:20 +01:00
stream-channel.c Trace streaming device data using recorder 2019-01-23 14:51:01 +00:00
stream-channel.h Make stream-channel.h self-contained 2017-10-30 12:01:24 +01:00
sw-canvas.c remove sw-canvas.h 2016-05-09 12:45:37 +01:00
tree.c tree: Use GLib memory functions 2017-10-11 12:52:17 +01:00
tree.h Unify header guards 2017-03-30 18:17:20 +01:00
utils.c utils: Avoid possible unaligned access 2018-01-31 14:17:39 +00:00
utils.h utils: Get monotonic time in a coherent way 2018-10-09 15:34:10 +01:00
video-encoder.h Unify header guards 2017-03-30 18:17:20 +01:00
video-stream.c Use "base" as pipe item base field name 2018-06-18 13:40:51 +01:00
video-stream.h Use "base" as pipe item base field name 2018-06-18 13:40:51 +01:00
zlib-encoder.c Replace remaining spice_printerr() with g_warning() 2018-06-28 13:21:48 +01:00
zlib-encoder.h Unify header guards 2017-03-30 18:17:20 +01:00