diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog --- spice-0.14.0/debian/changelog 2018-08-20 18:44:02.000000000 +0000 +++ spice-0.14.0/debian/changelog 2019-01-24 14:00:10.000000000 +0000 @@ -1,3 +1,14 @@ +spice (0.14.0-1ubuntu2.4) bionic-security; urgency=medium + + * SECURITY UPDATE: off-by-one error in memslot_get_virt + - debian/patches/CVE-2019-3813.patch: fix checks in server/memslot.c, + add tests to server/tests/test-qxl-parsing.c. + - CVE-2019-3813 + * debian/tests/automated-tests: fix incorrect test name, don't fail on + build writing to stderr. + + -- Marc Deslauriers Thu, 24 Jan 2019 09:00:10 -0500 + spice (0.14.0-1ubuntu2.2) bionic-security; urgency=medium * SECURITY UPDATE: Denial of service diff -Nru spice-0.14.0/debian/patches/CVE-2019-3813.patch spice-0.14.0/debian/patches/CVE-2019-3813.patch --- spice-0.14.0/debian/patches/CVE-2019-3813.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.14.0/debian/patches/CVE-2019-3813.patch 2019-01-24 14:00:10.000000000 +0000 @@ -0,0 +1,103 @@ +Backport of: + +From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Thu, 29 Nov 2018 14:18:39 +0100 +Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary + check + +RedMemSlotInfo keeps an array of groups, and each group contains an +array of slots. Unfortunately, these checks are off by 1, they check +that the index is greater or equal to the number of elements in the +array, while these arrays are 0 based. The check should only check for +strictly greater than the number of elements. + +For the group array, this is not a big issue, as these memslot groups +are created by spice-server users (eg QEMU), and the group ids used to +index that array are also generated by the spice-server user, so it +should not be possible for the guest to set them to arbitrary values. + +The slot id is more problematic, as it's calculated from a QXLPHYSICAL +address, and such addresses are usually set by the guest QXL driver, so +the guest can set these to arbitrary values, including malicious values, +which are probably easy to build from the guest PCI configuration. + +This patch fixes the arrays bound check, and adds a test case for this. + +Signed-off-by: Christophe Fergeau +--- + server/memslot.c | 4 ++-- + server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + +Index: spice-0.14.0/server/memslot.c +=================================================================== +--- spice-0.14.0.orig/server/memslot.c 2019-01-24 09:41:06.175341053 -0500 ++++ spice-0.14.0/server/memslot.c 2019-01-24 09:41:06.171341036 -0500 +@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlo + MemSlot *slot; + + *error = 0; +- if (group_id > info->num_memslots_groups) { ++ if (group_id >= info->num_memslots_groups) { + spice_critical("group_id too big"); + *error = 1; + return 0; + } + + slot_id = memslot_get_id(info, addr); +- if (slot_id > info->num_memslots) { ++ if (slot_id >= info->num_memslots) { + print_memslots(info); + spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); + *error = 1; +Index: spice-0.14.0/server/tests/test-qxl-parsing.c +=================================================================== +--- spice-0.14.0.orig/server/tests/test-qxl-parsing.c 2019-01-24 09:41:06.175341053 -0500 ++++ spice-0.14.0/server/tests/test-qxl-parsing.c 2019-01-24 13:39:38.816894518 -0500 +@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfac + free(from_physical(qxl->u.surface_create.data)); + } + ++static void test_memslot_invalid_group_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 0, 16, 1, &error); ++} ++ ++static void test_memslot_invalid_slot_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, (QXLPHYSICAL)1 << mem_info.memslot_id_shift, 16, 0, &error); ++} ++ ++static void test_memslot_invalid_addresses(void) ++{ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); ++ g_test_trap_assert_stderr("*group_id too big*"); ++ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); ++ g_test_trap_assert_stderr("*slot_id 1 too big*"); ++} ++ + static void test_no_issues(void) + { + RedMemSlotInfo mem_info; +@@ -262,6 +289,11 @@ int main(int argc, char *argv[]) + { + g_test_init(&argc, &argv, NULL); + ++ /* try to use invalid memslot group/slot */ ++ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); ++ + /* try to create a surface with no issues, should succeed */ + g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); + diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series --- spice-0.14.0/debian/patches/series 2018-08-20 18:44:02.000000000 +0000 +++ spice-0.14.0/debian/patches/series 2019-01-24 14:00:07.000000000 +0000 @@ -2,3 +2,4 @@ CVE-2017-12194-2.patch CVE-2017-12194-3.patch CVE-2018-10873.patch +CVE-2019-3813.patch diff -Nru spice-0.14.0/debian/tests/automated-tests spice-0.14.0/debian/tests/automated-tests --- spice-0.14.0/debian/tests/automated-tests 2017-11-02 01:55:03.000000000 +0000 +++ spice-0.14.0/debian/tests/automated-tests 2019-01-24 14:00:10.000000000 +0000 @@ -6,8 +6,8 @@ --disable-celt051 \ --disable-silent-rules \ --enable-smartcard -make -C spice-common/common libspice-common.la libspice-common-server.la -make -C server libspice-server.la -make -C server/tests all -./server/tests/test_display_streaming --automated-tests +make -C spice-common/common libspice-common.la libspice-common-server.la 2>/dev/null +make -C server libspice-server.la 2>/dev/null +make -C server/tests all 2>/dev/null +./server/tests/test-display-streaming --automated-tests