diff -Nru spice-0.12.4/debian/changelog spice-0.12.4/debian/changelog --- spice-0.12.4/debian/changelog 2015-09-08 12:03:35.000000000 +0000 +++ spice-0.12.4/debian/changelog 2015-10-01 11:38:07.000000000 +0000 @@ -1,3 +1,14 @@ +spice (0.12.4-0nocelt2ubuntu1.2) trusty-security; urgency=medium + + * SECURITY UPDATE: multiple security issues + - debian/patches/CVE-2015-526x/*.patch: apply series of patches from + Red Hat to fix overflows, race conditions, memory leaks and denial of + service issues. + - CVE-2015-5260 + - CVE-2015-5261 + + -- Marc Deslauriers Thu, 01 Oct 2015 07:37:43 -0400 + spice (0.12.4-0nocelt2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: heap corruption via monitor configs diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch spice-0.12.4/debian/patches/CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,42 @@ +From 247209c1f1c6a41d9fe0532ae17f19ae1cdcc2f7 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 11:58:11 +0100 +Subject: [PATCH 41/57] Define a constant to limit data from guest. + +This limit will prevent guest trying to do nasty things and DoS to host. + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 6c0b065..4449f2c 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -21,11 +21,22 @@ + + #include + #include ++#include + #include "common/lz_common.h" + #include "red_common.h" + #include "red_memslots.h" + #include "red_parse_qxl.h" + ++/* Max size in bytes for any data field used in a QXL command. ++ * This will for example be useful to prevent the guest from saturating the ++ * host memory if it tries to send overlapping chunks. ++ * This value should be big enough for all requests but limited ++ * to 32 bits. Even better if it fits on 31 bits to detect integer overflows. ++ */ ++#define MAX_DATA_CHUNK 0x7ffffffflu ++ ++G_STATIC_ASSERT(MAX_DATA_CHUNK <= G_MAXINT32); ++ + #if 0 + static void hexdump_qxl(RedMemSlotInfo *slots, int group_id, + QXLPHYSICAL addr, uint8_t bytes) +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch spice-0.12.4/debian/patches/CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch 2015-10-01 11:41:26.000000000 +0000 @@ -0,0 +1,66 @@ +From b9ee3c381ef823b6a4f246e0df3112efdd349b6a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 17 Sep 2015 15:00:22 +0100 +Subject: [PATCH 42/57] Fix some integer overflow causing large memory + allocations + +Prevent integer overflow when computing image sizes. +Image index computations are done using 32 bit so this can cause easily +security issues. MAX_DATA_CHUNK is larger than the virtual +card limit, so this is not going to cause change in behaviours. +Comparing size calculation results with MAX_DATA_CHUNK will allow us to +catch overflows. +Prevent guest from allocating large amount of memory. + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:24.414548824 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:24.414548824 -0400 +@@ -384,7 +384,7 @@ + QXLImage *qxl; + SpiceImage *red = NULL; + SpicePalette *rp = NULL; +- size_t bitmap_size, size; ++ uint64_t bitmap_size, size; + uint8_t qxl_flags; + int error; + +@@ -460,7 +460,10 @@ + red->u.bitmap.palette = rp; + red->u.bitmap.palette_id = rp->unique; + } +- bitmap_size = red->u.bitmap.y * abs(red->u.bitmap.stride); ++ bitmap_size = (uint64_t) red->u.bitmap.y * red->u.bitmap.stride; ++ if (bitmap_size > MAX_DATA_CHUNK) { ++ goto error; ++ } + if (qxl_flags & QXL_BITMAP_DIRECT) { + red->u.bitmap.data = red_get_image_data_flat(slots, group_id, + qxl->bitmap.data, +@@ -1220,7 +1223,7 @@ + RedSurfaceCmd *red, QXLPHYSICAL addr) + { + QXLSurfaceCmd *qxl; +- size_t size; ++ uint64_t size; + int error; + + qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, +@@ -1240,7 +1243,11 @@ + red->u.surface_create.width = qxl->u.surface_create.width; + red->u.surface_create.height = qxl->u.surface_create.height; + red->u.surface_create.stride = qxl->u.surface_create.stride; +- size = red->u.surface_create.height * abs(red->u.surface_create.stride); ++ /* the multiplication can overflow, also abs(-2^31) may return a negative value */ ++ size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); ++ if (size > MAX_DATA_CHUNK || red->u.surface_create.stride == G_MININT32) { ++ return 1; ++ } + red->u.surface_create.data = + (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); + if (error) { diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch spice-0.12.4/debian/patches/CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch 2015-10-01 11:41:18.000000000 +0000 @@ -0,0 +1,75 @@ +From b15d9c6d94bf426d61aaa4631ed55271c0d12b14 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 16:02:59 +0100 +Subject: [PATCH 43/57] Check properly surface to be created + +Check format is valid. +Check stride is at least the size of required bytes for a row. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:12.782642506 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:12.778642538 -0400 +@@ -1219,12 +1219,30 @@ + /* nothing yet */ + } + ++static unsigned int surface_format_to_bpp(uint32_t format) ++{ ++ switch (format) { ++ case SPICE_SURFACE_FMT_1_A: ++ return 1; ++ case SPICE_SURFACE_FMT_8_A: ++ return 8; ++ case SPICE_SURFACE_FMT_16_555: ++ case SPICE_SURFACE_FMT_16_565: ++ return 16; ++ case SPICE_SURFACE_FMT_32_xRGB: ++ case SPICE_SURFACE_FMT_32_ARGB: ++ return 32; ++ } ++ return 0; ++} ++ + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, + RedSurfaceCmd *red, QXLPHYSICAL addr) + { + QXLSurfaceCmd *qxl; + uint64_t size; + int error; ++ unsigned int bpp; + + qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, + &error); +@@ -1243,9 +1261,24 @@ + red->u.surface_create.width = qxl->u.surface_create.width; + red->u.surface_create.height = qxl->u.surface_create.height; + red->u.surface_create.stride = qxl->u.surface_create.stride; ++ bpp = surface_format_to_bpp(red->u.surface_create.format); ++ ++ /* check if format is valid */ ++ if (!bpp) { ++ return 1; ++ } ++ ++ /* check stride is larger than required bytes */ ++ size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; ++ /* the uint32_t conversion is here to avoid problems with -2^31 value */ ++ if (red->u.surface_create.stride == G_MININT32 ++ || size > (uint32_t) abs(red->u.surface_create.stride)) { ++ return 1; ++ } ++ + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ + size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); +- if (size > MAX_DATA_CHUNK || red->u.surface_create.stride == G_MININT32) { ++ if (size > MAX_DATA_CHUNK) { + return 1; + } + red->u.surface_create.data = diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch spice-0.12.4/debian/patches/CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch 2015-10-01 11:41:06.000000000 +0000 @@ -0,0 +1,35 @@ +From 18087073df84885642d9b0b1efd0e86e18409bbe Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 10:00:37 +0100 +Subject: [PATCH 44/57] Fix buffer reading overflow + +Not security risk as just for read. +However, this could be used to attempt integer overflows in the +following lines. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:04.650708000 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:04.650708000 -0400 +@@ -361,7 +361,14 @@ + + static int bitmap_consistent(SpiceBitmap *bitmap) + { +- int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; ++ int bpp; ++ ++ if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { ++ spice_warning("wrong format specified for image\n"); ++ return FALSE; ++ } ++ ++ bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + + if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { + spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch spice-0.12.4/debian/patches/CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch 2015-10-01 11:39:11.000000000 +0000 @@ -0,0 +1,45 @@ +Backport of: + +From 7baa8c39757b46a834e20198e4b18e9f1752e20e Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 13:09:35 +0100 +Subject: [PATCH 45/57] Prevent 32 bit integer overflow in bitmap_consistent + +The overflow may lead to buffer overflow as the row size computed from +width (bitmap->x) can be bigger than the size in bytes (bitmap->stride). +This can make spice-server accept the invalid sizes. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:38:25.587989209 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:38:52.659771136 -0400 +@@ -357,11 +357,12 @@ + return "unknown"; + } + +-static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; ++static const unsigned int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = ++ {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; + + static int bitmap_consistent(SpiceBitmap *bitmap) + { +- int bpp; ++ unsigned int bpp; + + if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { + spice_warning("wrong format specified for image\n"); +@@ -370,7 +371,7 @@ + + bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + +- if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { ++ if (bitmap->stride < (((uint64_t) bitmap->x * bpp + 7u) / 8u)) { + spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", + bitmap->stride, bitmap->x, bpp, + bitmap_format_to_string(bitmap->format), diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch spice-0.12.4/debian/patches/CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,42 @@ +From 078a903d55f44aedd22b4fa8dd86e4b03b82c01c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 10:01:51 +0100 +Subject: [PATCH 46/57] Fix race condition on red_get_clip_rects + +Do not read multiple time an array size that can be changed. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 3385f52..affd3a2 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, + size_t size; + int i; + int error; ++ uint32_t num_rects; + + qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); + if (error) { +@@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, + data = red_linearize_chunk(&chunks, size, &free_data); + red_put_data_chunks(&chunks); + +- spice_assert(qxl->num_rects * sizeof(QXLRect) == size); +- red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect)); +- red->num_rects = qxl->num_rects; ++ num_rects = qxl->num_rects; ++ spice_assert(num_rects * sizeof(QXLRect) == size); ++ red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect)); ++ red->num_rects = num_rects; + + start = (QXLRect*)data; + for (i = 0; i < red->num_rects; i++) { +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0047-Fix-race-in-red_get_image.patch spice-0.12.4/debian/patches/CVE-2015-526x/0047-Fix-race-in-red_get_image.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0047-Fix-race-in-red_get_image.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0047-Fix-race-in-red_get_image.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,77 @@ +From d2fc5cee16c10e53d81c6251e6929da54270a6f4 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 10:04:10 +0100 +Subject: [PATCH 47/57] Fix race in red_get_image + +Do not read multiple times data from guest as this could be changed +by other vcpu threads. +This causes races and security problems if these data are used for +buffer allocation or checks. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index affd3a2..84ea526 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -397,6 +397,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, + uint64_t bitmap_size, size; + uint8_t qxl_flags; + int error; ++ QXLPHYSICAL palette; + + if (addr == 0) { + return NULL; +@@ -422,12 +423,16 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, + switch (red->descriptor.type) { + case SPICE_IMAGE_TYPE_BITMAP: + red->u.bitmap.format = qxl->bitmap.format; +- if (!bitmap_fmt_is_rgb(qxl->bitmap.format) && !qxl->bitmap.palette && !is_mask) { ++ red->u.bitmap.x = qxl->bitmap.x; ++ red->u.bitmap.y = qxl->bitmap.y; ++ red->u.bitmap.stride = qxl->bitmap.stride; ++ palette = qxl->bitmap.palette; ++ if (!bitmap_fmt_is_rgb(red->u.bitmap.format) && !palette && !is_mask) { + spice_warning("guest error: missing palette on bitmap format=%d\n", + red->u.bitmap.format); + goto error; + } +- if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) { ++ if (red->u.bitmap.x == 0 || red->u.bitmap.y == 0) { + spice_warning("guest error: zero area bitmap\n"); + goto error; + } +@@ -435,23 +440,20 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, + if (qxl_flags & QXL_BITMAP_TOP_DOWN) { + red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN; + } +- red->u.bitmap.x = qxl->bitmap.x; +- red->u.bitmap.y = qxl->bitmap.y; +- red->u.bitmap.stride = qxl->bitmap.stride; + if (!bitmap_consistent(&red->u.bitmap)) { + goto error; + } +- if (qxl->bitmap.palette) { ++ if (palette) { + QXLPalette *qp; + int i, num_ents; +- qp = (QXLPalette *)get_virt(slots, qxl->bitmap.palette, ++ qp = (QXLPalette *)get_virt(slots, palette, + sizeof(*qp), group_id, &error); + if (error) { + goto error; + } + num_ents = qp->num_ents; + if (!validate_virt(slots, (intptr_t)qp->ents, +- get_memslot_id(slots, qxl->bitmap.palette), ++ get_memslot_id(slots, palette), + num_ents * sizeof(qp->ents[0]), group_id)) { + goto error; + } +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch spice-0.12.4/debian/patches/CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch 2015-10-01 11:40:57.000000000 +0000 @@ -0,0 +1,59 @@ +From 932e27e50032c1c7032be3616217a2ab0586fe78 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 10:05:20 +0100 +Subject: [PATCH 48/57] Fix race condition in red_get_string + +Do not read multiple time an array size that can be changed. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:55.714779970 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:55.710780003 -0400 +@@ -809,6 +809,7 @@ + size_t chunk_size, qxl_size, red_size, glyph_size; + int glyphs, bpp = 0, i; + int error; ++ uint16_t qxl_flags, qxl_length; + + qxl = (QXLString *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); + if (error) { +@@ -825,13 +826,15 @@ + red_put_data_chunks(&chunks); + + qxl_size = qxl->data_size; ++ qxl_flags = qxl->flags; ++ qxl_length = qxl->length; + spice_assert(chunk_size == qxl_size); + +- if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A1) { ++ if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A1) { + bpp = 1; +- } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A4) { ++ } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A4) { + bpp = 4; +- } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A8) { ++ } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A8) { + bpp = 8; + } + spice_assert(bpp != 0); +@@ -848,11 +851,11 @@ + start = (QXLRasterGlyph*)(&start->data[glyph_size]); + } + spice_assert(start <= end); +- spice_assert(glyphs == qxl->length); ++ spice_assert(glyphs == qxl_length); + + red = spice_malloc(red_size); +- red->length = qxl->length; +- red->flags = qxl->flags; ++ red->length = qxl_length; ++ red->flags = qxl_flags; + + start = (QXLRasterGlyph*)data; + end = (QXLRasterGlyph*)(data + chunk_size); diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch spice-0.12.4/debian/patches/CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch 2015-10-01 11:40:48.000000000 +0000 @@ -0,0 +1,60 @@ +From e28c08d63490a2fb6b8cc07bf968eb16243e9c63 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 10:13:24 +0100 +Subject: [PATCH 49/57] Fix integer overflow computing glyph_size in + red_get_string + +If bpp is int the formula can lead to weird overflows. width and height +are uint16_t so the formula is: + + size_t = u16 * (u16 * int + const_int) / const_int; + +so it became + + size_t = (int) u16 * ((int) u16 * int + const_int) / const_int; + +However the (int) u16 * (int) u16 can then became negative to overflow. +Under 64 bit architectures size_t is 64 and int usually 32 so converting +this negative 32 bit number to a unsigned 64 bit lead to a very big +number as the signed is extended and then converted to unsigned. +Using unsigned arithmetic prevent extending the sign. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:46.278855969 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:46.274856001 -0400 +@@ -807,7 +807,9 @@ + uint8_t *data; + bool free_data; + size_t chunk_size, qxl_size, red_size, glyph_size; +- int glyphs, bpp = 0, i; ++ int glyphs, i; ++ /* use unsigned to prevent integer overflow in multiplication below */ ++ unsigned int bpp = 0; + int error; + uint16_t qxl_flags, qxl_length; + +@@ -846,7 +848,7 @@ + while (start < end) { + spice_assert((QXLRasterGlyph*)(&start->data[0]) <= end); + glyphs++; +- glyph_size = start->height * ((start->width * bpp + 7) / 8); ++ glyph_size = start->height * ((start->width * bpp + 7u) / 8u); + red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4); + start = (QXLRasterGlyph*)(&start->data[glyph_size]); + } +@@ -867,7 +869,7 @@ + glyph->height = start->height; + red_get_point_ptr(&glyph->render_pos, &start->render_pos); + red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin); +- glyph_size = glyph->height * ((glyph->width * bpp + 7) / 8); ++ glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u); + spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end); + memcpy(glyph->data, start->data, glyph_size); + start = (QXLRasterGlyph*)(&start->data[glyph_size]); diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch spice-0.12.4/debian/patches/CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,66 @@ +From 20979131dee0f81972ca159e5f754d42890e75e6 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 12:12:19 +0100 +Subject: [PATCH 50/57] Fix race condition in red_get_data_chunks_ptr + +Do not read multiple times data from guest as this can be changed by +other guest vcpus. This causes races and security problems if these +data are used for buffer allocation or checks. + +Actually, the 'data' member can't change during read as it is just a +pointer to a fixed array contained in qxl. However, this change will +make it clear that there can be no race condition. + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index c4b82be..7cc20e6 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -102,30 +102,33 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, + RedDataChunk *red_prev; + size_t data_size = 0; + int error; ++ QXLPHYSICAL next_chunk; + + red->data_size = qxl->data_size; + data_size += red->data_size; +- if (!validate_virt(slots, (intptr_t)qxl->data, memslot_id, red->data_size, group_id)) { ++ red->data = qxl->data; ++ if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { ++ red->data = NULL; + return 0; + } +- red->data = qxl->data; + red->prev_chunk = NULL; + +- while (qxl->next_chunk) { ++ while ((next_chunk = qxl->next_chunk) != 0) { + red_prev = red; + red = spice_new(RedDataChunk, 1); +- memslot_id = get_memslot_id(slots, qxl->next_chunk); +- qxl = (QXLDataChunk *)get_virt(slots, qxl->next_chunk, sizeof(*qxl), group_id, ++ memslot_id = get_memslot_id(slots, next_chunk); ++ qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, + &error); + if (error) { + return 0; + } + red->data_size = qxl->data_size; + data_size += red->data_size; +- if (!validate_virt(slots, (intptr_t)qxl->data, memslot_id, red->data_size, group_id)) { ++ red->data = qxl->data; ++ if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { ++ red->data = NULL; + return 0; + } +- red->data = qxl->data; + red->prev_chunk = red_prev; + red_prev->next_chunk = red; + } +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch spice-0.12.4/debian/patches/CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,75 @@ +From 173645bea63ad31ba0d6d4c58a06272aa488fb92 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 12:14:55 +0100 +Subject: [PATCH 51/57] Prevent memory leak if red_get_data_chunks_ptr fails + +Free linked list if client tries to do nasty things + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 7cc20e6..fe3ae78 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -107,34 +107,43 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, + red->data_size = qxl->data_size; + data_size += red->data_size; + red->data = qxl->data; ++ red->prev_chunk = red->next_chunk = NULL; + if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { + red->data = NULL; + return 0; + } +- red->prev_chunk = NULL; + + while ((next_chunk = qxl->next_chunk) != 0) { + red_prev = red; +- red = spice_new(RedDataChunk, 1); ++ red = spice_new0(RedDataChunk, 1); ++ red->prev_chunk = red_prev; ++ red_prev->next_chunk = red; ++ + memslot_id = get_memslot_id(slots, next_chunk); + qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, + &error); +- if (error) { +- return 0; +- } ++ if (error) ++ goto error; + red->data_size = qxl->data_size; + data_size += red->data_size; + red->data = qxl->data; +- if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { +- red->data = NULL; +- return 0; +- } +- red->prev_chunk = red_prev; +- red_prev->next_chunk = red; ++ if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) ++ goto error; + } + + red->next_chunk = NULL; + return data_size; ++ ++error: ++ while (red->prev_chunk) { ++ red_prev = red->prev_chunk; ++ free(red); ++ red = red_prev; ++ } ++ red->data_size = 0; ++ red->next_chunk = NULL; ++ red->data = NULL; ++ return 0; + } + + static size_t red_get_data_chunks(RedMemSlotInfo *slots, int group_id, +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch spice-0.12.4/debian/patches/CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,102 @@ +From ffbe1b2e3bff5fec022030836a9319d57c6f94c5 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 12:28:54 +0100 +Subject: [PATCH 52/57] Prevent DoS from guest trying to allocate too much data + on host for chunks + +Limit number of chunks to a given amount to avoid guest trying to +allocate too much memory. Using circular or nested chunks lists +guest could try to allocate huge amounts of memory. +Considering the list can be infinite and guest can change data this +also prevents strange security attacks from guest. + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 49 +++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 41 insertions(+), 8 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index fe3ae78..f183248 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -37,6 +37,13 @@ + + G_STATIC_ASSERT(MAX_DATA_CHUNK <= G_MAXINT32); + ++/* Limit number of chunks. ++ * The guest can attempt to make host allocate too much memory ++ * just with a large number of small chunks. ++ * Prevent that the chunk list take more memory than the data itself. ++ */ ++#define MAX_CHUNKS (MAX_DATA_CHUNK/1024u) ++ + #if 0 + static void hexdump_qxl(RedMemSlotInfo *slots, int group_id, + QXLPHYSICAL addr, uint8_t bytes) +@@ -100,9 +107,11 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, + RedDataChunk *red, QXLDataChunk *qxl) + { + RedDataChunk *red_prev; +- size_t data_size = 0; ++ uint64_t data_size = 0; ++ uint32_t chunk_data_size; + int error; + QXLPHYSICAL next_chunk; ++ unsigned num_chunks = 0; + + red->data_size = qxl->data_size; + data_size += red->data_size; +@@ -114,19 +123,43 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, + } + + while ((next_chunk = qxl->next_chunk) != 0) { ++ /* somebody is trying to use too much memory using a lot of chunks. ++ * Or made a circular list of chunks ++ */ ++ if (++num_chunks >= MAX_CHUNKS) { ++ spice_warning("data split in too many chunks, avoiding DoS\n"); ++ goto error; ++ } ++ ++ memslot_id = get_memslot_id(slots, next_chunk); ++ qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), ++ group_id, &error); ++ if (error) ++ goto error; ++ ++ /* do not waste space for empty chunks. ++ * This could be just a driver issue or an attempt ++ * to allocate too much memory or a circular list. ++ * All above cases are handled by the check for number ++ * of chunks. ++ */ ++ chunk_data_size = qxl->data_size; ++ if (chunk_data_size == 0) ++ continue; ++ + red_prev = red; + red = spice_new0(RedDataChunk, 1); ++ red->data_size = chunk_data_size; + red->prev_chunk = red_prev; ++ red->data = qxl->data; + red_prev->next_chunk = red; + +- memslot_id = get_memslot_id(slots, next_chunk); +- qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, +- &error); +- if (error) ++ data_size += chunk_data_size; ++ /* this can happen if client is sending nested chunks */ ++ if (data_size > MAX_DATA_CHUNK) { ++ spice_warning("too much data inside chunks, avoiding DoS\n"); + goto error; +- red->data_size = qxl->data_size; +- data_size += red->data_size; +- red->data = qxl->data; ++ } + if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) + goto error; + } +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch spice-0.12.4/debian/patches/CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch 2015-10-01 11:40:34.000000000 +0000 @@ -0,0 +1,38 @@ +From 8f60fc6ec611aa6ad6fa31f3dfc8027462dbb442 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 8 Sep 2015 13:06:03 +0100 +Subject: [PATCH 53/57] Fix some possible overflows in red_get_string for 32 + bit + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:32.938963411 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:32.938963411 -0400 +@@ -895,6 +895,11 @@ + glyphs++; + glyph_size = start->height * ((start->width * bpp + 7u) / 8u); + red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4); ++ /* do the test correctly, we know end - start->data[0] cannot ++ * overflow, don't use start->data[glyph_size] to test for ++ * buffer overflow as this on 32 bit can cause overflow ++ * on the pointer arithmetic */ ++ spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]); + start = (QXLRasterGlyph*)(&start->data[glyph_size]); + } + spice_assert(start <= end); +@@ -915,7 +920,8 @@ + red_get_point_ptr(&glyph->render_pos, &start->render_pos); + red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin); + glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u); +- spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end); ++ /* see above for similar test */ ++ spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]); + memcpy(glyph->data, start->data, glyph_size); + start = (QXLRasterGlyph*)(&start->data[glyph_size]); + glyph = (SpiceRasterGlyph*) diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch spice-0.12.4/debian/patches/CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,40 @@ +From 289301f33c7da81fcb034448d96e8c276b4fc06a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 15 Sep 2015 16:25:17 +0100 +Subject: [PATCH 54/57] Make sure we can read QXLPathSeg structures + +start pointer points to a QXLPathSeg structure. +Before reading from the structure, make sure the structure is contained +in the memory range checked. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 668ce10..4663bfd 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, + + start = (QXLPathSeg*)data; + end = (QXLPathSeg*)(data + size); +- while (start < end) { ++ while (start+1 < end) { + n_segments++; + count = start->count; + segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix); +@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, + seg = (SpicePathSeg*)&red->segments[n_segments]; + n_segments = 0; + mem_size2 = sizeof(*red); +- while (start < end) { ++ while (start+1 < end) { + red->segments[n_segments++] = seg; + count = start->count; + +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch spice-0.12.4/debian/patches/CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,31 @@ +From 14f53eef04c38a3c537a1a1012c2f7101a298194 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 15 Sep 2015 16:38:23 +0100 +Subject: [PATCH 55/57] Avoid race condition copying segments in red_get_path + +The guest can attempt to increase the number of segments while +spice-server is reading them. +Make sure we don't copy more then the allocated segments. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_parse_qxl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 4663bfd..c1df8e8 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, + seg = (SpicePathSeg*)&red->segments[n_segments]; + n_segments = 0; + mem_size2 = sizeof(*red); +- while (start+1 < end) { ++ while (start+1 < end && n_segments < red->num_segments) { + red->segments[n_segments++] = seg; + count = start->count; + +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch spice-0.12.4/debian/patches/CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch 2015-10-01 11:40:15.000000000 +0000 @@ -0,0 +1,26 @@ +From c2cdd1daf8edceec8adbb456dca656efe3648eec Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 17 Sep 2015 14:28:36 +0100 +Subject: [PATCH 56/57] Prevent data_size to be set independently from data + +There was not check for data_size field so one could set data to +a small set of data and data_size much bigger than size of data +leading to buffer overflow. + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 1 + + 1 file changed, 1 insertion(+) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:11.763133969 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:11.759134001 -0400 +@@ -1391,6 +1391,7 @@ + size = red_get_data_chunks_ptr(slots, group_id, + get_memslot_id(slots, addr), + &chunks, &qxl->chunk); ++ red->data_size = MIN(red->data_size, size); + data = red_linearize_chunk(&chunks, size, &free_data); + red_put_data_chunks(&chunks); + if (free_data) { diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch spice-0.12.4/debian/patches/CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch 2015-10-01 11:37:20.000000000 +0000 @@ -0,0 +1,34 @@ +From 5580cac5502cd518adad0a3682fd53aeeaf86a86 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 17 Sep 2015 15:01:05 +0100 +Subject: [PATCH 57/57] Prevent leak if size from red_get_data_chunks don't + match in red_get_image + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c +index 8e3dd55..bd0c408 100644 +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -530,6 +530,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, + &chunks, qxl->bitmap.data); + spice_assert(size == bitmap_size); + if (size != bitmap_size) { ++ red_put_data_chunks(&chunks); + goto error; + } + red->u.bitmap.data = red_get_image_data_chunked(slots, group_id, +@@ -550,6 +551,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, + &chunks, (QXLDataChunk *)qxl->quic.data); + spice_assert(size == red->u.quic.data_size); + if (size != red->u.quic.data_size) { ++ red_put_data_chunks(&chunks); + goto error; + } + red->u.quic.data = red_get_image_data_chunked(slots, group_id, +-- +2.4.3 + diff -Nru spice-0.12.4/debian/patches/series spice-0.12.4/debian/patches/series --- spice-0.12.4/debian/patches/series 2015-09-08 12:03:21.000000000 +0000 +++ spice-0.12.4/debian/patches/series 2015-10-01 11:37:20.000000000 +0000 @@ -4,3 +4,20 @@ enable_subdir-objects.patch fix-buffer-overflow-when-decrypting-client-spice-ticket.patch CVE-2015-3247.patch +CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch +CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch +CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch +CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch +CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch +CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch +CVE-2015-526x/0047-Fix-race-in-red_get_image.patch +CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch +CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch +CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch +CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch +CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch +CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch +CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch +CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch +CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch +CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch