Control: tags 920762 + patch
Control: tags 920762 + pending
Dear maintainer,
I've prepared an NMU for spice (versioned as 0.14.0-1.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog
--- spice-0.14.0/debian/changelog 2018-10-11 23:41:48.000000000 +0200
+++ spice-0.14.0/debian/changelog 2019-01-28 13:04:44.000000000 +0100
@@ -1,3 +1,11 @@
+spice (0.14.0-1.3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * memslot: Fix off-by-one error in group/slot boundary check (CVE-2019-3813)
+ (Closes: #920762)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Mon, 28 Jan 2019 13:04:44 +0100
+
spice (0.14.0-1.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
--- spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-0.14.0/debian/patches/memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch 2019-01-28 13:04:44.000000000 +0100
@@ -0,0 +1,46 @@
+From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cferg...@redhat.com>
+Date: Thu, 29 Nov 2018 14:18:39 +0100
+Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary
+ check
+
+RedMemSlotInfo keeps an array of groups, and each group contains an
+array of slots. Unfortunately, these checks are off by 1, they check
+that the index is greater or equal to the number of elements in the
+array, while these arrays are 0 based. The check should only check for
+strictly greater than the number of elements.
+
+For the group array, this is not a big issue, as these memslot groups
+are created by spice-server users (eg QEMU), and the group ids used to
+index that array are also generated by the spice-server user, so it
+should not be possible for the guest to set them to arbitrary values.
+
+The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+address, and such addresses are usually set by the guest QXL driver, so
+the guest can set these to arbitrary values, including malicious values,
+which are probably easy to build from the guest PCI configuration.
+
+This patch fixes the arrays bound check, and adds a test case for this.
+
+Signed-off-by: Christophe Fergeau <cferg...@redhat.com>
+---
+
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlo
+ MemSlot *slot;
+
+ *error = 0;
+- if (group_id > info->num_memslots_groups) {
++ if (group_id >= info->num_memslots_groups) {
+ spice_critical("group_id too big");
+ *error = 1;
+ return 0;
+ }
+
+ slot_id = memslot_get_id(info, addr);
+- if (slot_id > info->num_memslots) {
++ if (slot_id >= info->num_memslots) {
+ print_memslots(info);
+ spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+ *error = 1;
diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series
--- spice-0.14.0/debian/patches/series 2018-10-11 23:41:48.000000000 +0200
+++ spice-0.14.0/debian/patches/series 2019-01-28 13:04:44.000000000 +0100
@@ -1,2 +1,3 @@
Fix-flexible-array-buffer-overflow.patch
refresh-tests-pki-keys.patch
+memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
