Source: spice-gtk Version: 0.25-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for spice-gtk. CVE-2017-12194[0]: | A flaw was found in the way spice-client processed certain messages | sent from the server. An attacker, having control of malicious | spice-server, could use this flaw to crash the client or execute | arbitrary code with permissions of the user running the client. | spice-gtk versions through 0.34 are believed to be vulnerable. See [2] for a test-program to demostrate the issue (attached here as well) and two proposed patches to be applied. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12194 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12194 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1501200 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1240165 Regards, Salvatore
>From 78b54cbaa064f0ac94af114edb54fca3b365430d Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fzig...@redhat.com> Date: Fri, 19 Jun 2015 14:42:54 +0100 Subject: [PATCH spice-common 1/3] Write a small test to test possible crash This small test prove a that current generated demarshaller code is not safe to integer overflows leading to buffer overflows. Actually from a quick look at the protocol it seems that client can't cause these overflows but server can quite easily at demonstrated by this test. Signed-off-by: Frediano Ziglio <fzig...@redhat.com> --- tests/Makefile.am | 14 +++++++++ tests/test-overflow.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 tests/test-overflow.c Index: spice-gtk-0.34/spice-common/tests/Makefile.am =================================================================== --- spice-gtk-0.34.orig/spice-common/tests/Makefile.am +++ spice-gtk-0.34/spice-common/tests/Makefile.am @@ -63,4 +63,18 @@ EXTRA_DIST = \ test-marshallers.proto \ $(NULL) +TESTS += test_overflow +test_overflow_SOURCES = test-overflow.c +test_overflow_CFLAGS = \ + -I$(top_srcdir) \ + $(GLIB2_CFLAGS) \ + $(SPICE_COMMON_CFLAGS) \ + $(PROTOCOL_CFLAGS) \ + $(NULL) +test_overflow_LDADD = \ + $(top_builddir)/common/libspice-common.la \ + $(top_builddir)/common/libspice-common-server.la \ + $(top_builddir)/common/libspice-common-client.la \ + $(NULL) + -include $(top_srcdir)/git.mk Index: spice-gtk-0.34/spice-common/tests/test-overflow.c =================================================================== --- /dev/null +++ spice-gtk-0.34/spice-common/tests/test-overflow.c @@ -0,0 +1,80 @@ +/* + Copyright (C) 2015 Red Hat, Inc. + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see <http://www.gnu.org/licenses/>. +*/ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <assert.h> + +#include <common/marshaller.h> +#include <common/generated_server_marshallers.h> +#include <common/client_demarshallers.h> + +#define NUM_CHANNELS 3u + +int main(void) +{ + SpiceMarshaller *m; + SpiceMsgChannels *msg; + uint8_t *data, *out; + size_t len; + int to_free = 0; + spice_parse_channel_func_t func; + unsigned int max_message_type, n; + message_destructor_t free_output; + + m = spice_marshaller_new(); + assert(m); + + msg = (SpiceMsgChannels *) malloc(sizeof(SpiceMsgChannels) + + NUM_CHANNELS * sizeof(SpiceChannelId)); + assert(msg); + + // build a message and marshal it + msg->num_of_channels = NUM_CHANNELS; + for (n = 0; n < NUM_CHANNELS; ++n) + msg->channels[n] = (SpiceChannelId) { n + 1, n * 7 }; + spice_marshall_msg_main_channels_list(m, msg); + + // get linear data + data = spice_marshaller_linearize(m, 0, &len, &to_free); + assert(data); + + printf("output len %lu\n", (unsigned long) len); + + // hack, try to core + *((uint32_t *) data) = 0x80000002u; + + // extract the message + func = spice_get_server_channel_parser(1, &max_message_type); + assert(func); + out = func(data, data+len, SPICE_MSG_MAIN_CHANNELS_LIST, 0, &len, &free_output); + assert(out == NULL); + + // cleanup + if (to_free) + free(data); + if (out) + free_output(out); + free(msg); + + return 0; +} + Index: spice-gtk-0.34/spice-common/tests/Makefile.in =================================================================== --- spice-gtk-0.34.orig/spice-common/tests/Makefile.in +++ spice-gtk-0.34/spice-common/tests/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.15.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2017 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -88,7 +88,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -TESTS = test_logging$(EXEEXT) test_marshallers$(EXEEXT) +TESTS = test_logging$(EXEEXT) test_marshallers$(EXEEXT) \ + test_overflow$(EXEEXT) noinst_PROGRAMS = $(am__EXEEXT_1) subdir = tests ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -104,7 +105,8 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__EXEEXT_1 = test_logging$(EXEEXT) test_marshallers$(EXEEXT) +am__EXEEXT_1 = test_logging$(EXEEXT) test_marshallers$(EXEEXT) \ + test_overflow$(EXEEXT) PROGRAMS = $(noinst_PROGRAMS) am_test_logging_OBJECTS = test_logging-test-logging.$(OBJEXT) test_logging_OBJECTS = $(am_test_logging_OBJECTS) @@ -130,6 +132,16 @@ test_marshallers_LINK = $(LIBTOOL) $(AM_ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(test_marshallers_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ -o $@ +am_test_overflow_OBJECTS = test_overflow-test-overflow.$(OBJEXT) +test_overflow_OBJECTS = $(am_test_overflow_OBJECTS) +test_overflow_DEPENDENCIES = \ + $(top_builddir)/common/libspice-common.la \ + $(top_builddir)/common/libspice-common-server.la \ + $(top_builddir)/common/libspice-common-client.la \ + $(am__DEPENDENCIES_1) +test_overflow_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_overflow_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -164,8 +176,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) -DIST_SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) +SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) \ + $(test_overflow_SOURCES) +DIST_SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) \ + $(test_overflow_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -537,6 +551,7 @@ program_transform_name = @program_transf psdir = @psdir@ pyexecdir = @pyexecdir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -601,6 +616,20 @@ EXTRA_DIST = \ test-marshallers.proto \ $(NULL) +test_overflow_SOURCES = test-overflow.c +test_overflow_CFLAGS = \ + -I$(top_srcdir) \ + $(GLIB2_CFLAGS) \ + $(SPICE_COMMON_CFLAGS) \ + $(PROTOCOL_CFLAGS) \ + $(NULL) + +test_overflow_LDADD = \ + $(top_builddir)/common/libspice-common.la \ + $(top_builddir)/common/libspice-common-server.la \ + $(top_builddir)/common/libspice-common-client.la \ + $(NULL) + all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -653,6 +682,10 @@ test_marshallers$(EXEEXT): $(test_marsha @rm -f test_marshallers$(EXEEXT) $(AM_V_CCLD)$(test_marshallers_LINK) $(test_marshallers_OBJECTS) $(test_marshallers_LDADD) $(LIBS) +test_overflow$(EXEEXT): $(test_overflow_OBJECTS) $(test_overflow_DEPENDENCIES) $(EXTRA_test_overflow_DEPENDENCIES) + @rm -f test_overflow$(EXEEXT) + $(AM_V_CCLD)$(test_overflow_LINK) $(test_overflow_OBJECTS) $(test_overflow_LDADD) $(LIBS) + mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -662,6 +695,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_logging-test-logging.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_marshallers-generated_test_marshallers.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_marshallers-test-marshallers.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_overflow-test-overflow.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -726,6 +760,20 @@ test_marshallers-test-marshallers.obj: t @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_marshallers_CFLAGS) $(CFLAGS) -c -o test_marshallers-test-marshallers.obj `if test -f 'test-marshallers.c'; then $(CYGPATH_W) 'test-marshallers.c'; else $(CYGPATH_W) '$(srcdir)/test-marshallers.c'; fi` +test_overflow-test-overflow.o: test-overflow.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -MT test_overflow-test-overflow.o -MD -MP -MF $(DEPDIR)/test_overflow-test-overflow.Tpo -c -o test_overflow-test-overflow.o `test -f 'test-overflow.c' || echo '$(srcdir)/'`test-overflow.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/test_overflow-test-overflow.Tpo $(DEPDIR)/test_overflow-test-overflow.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test-overflow.c' object='test_overflow-test-overflow.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -c -o test_overflow-test-overflow.o `test -f 'test-overflow.c' || echo '$(srcdir)/'`test-overflow.c + +test_overflow-test-overflow.obj: test-overflow.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -MT test_overflow-test-overflow.obj -MD -MP -MF $(DEPDIR)/test_overflow-test-overflow.Tpo -c -o test_overflow-test-overflow.obj `if test -f 'test-overflow.c'; then $(CYGPATH_W) 'test-overflow.c'; else $(CYGPATH_W) '$(srcdir)/test-overflow.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/test_overflow-test-overflow.Tpo $(DEPDIR)/test_overflow-test-overflow.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test-overflow.c' object='test_overflow-test-overflow.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -c -o test_overflow-test-overflow.obj `if test -f 'test-overflow.c'; then $(CYGPATH_W) 'test-overflow.c'; else $(CYGPATH_W) '$(srcdir)/test-overflow.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -938,6 +986,13 @@ test_marshallers.log: test_marshallers$( $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_overflow.log: test_overflow$(EXEEXT) + @p='test_overflow$(EXEEXT)'; \ + b='test_overflow'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) .test.log: @p='$<'; \