diff -Nru spice-0.12.4/debian/changelog spice-0.12.4/debian/changelog --- spice-0.12.4/debian/changelog 2015-10-07 03:09:26.000000000 +0000 +++ spice-0.12.4/debian/changelog 2016-06-22 03:11:54.000000000 +0000 @@ -1,8 +1,27 @@ -spice (0.12.4-0nocelt2ubuntu1.2~cloud0) precise-icehouse; urgency=medium +spice (0.12.4-0nocelt2ubuntu1.3~cloud0) precise-icehouse; urgency=medium * New update for the Ubuntu Cloud Archive. - -- Openstack Ubuntu Testing Bot Wed, 07 Oct 2015 03:09:26 +0000 + -- Openstack Ubuntu Testing Bot Wed, 22 Jun 2016 03:11:54 +0000 + +spice (0.12.4-0nocelt2ubuntu1.3) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service and possible code execution via + memory allocation flaw in smartcard interaction + - debian/patches/CVE-2016-0749/*.patch: add a ref to item and allocate + msg with the expected size in server/smartcard.c. + - CVE-2016-0749 + * SECURITY UPDATE: host memory access from guest with invalid primary + surface parameters + - debian/patches/CVE-2016-2150/*.patch: create a function to validate + surface parameters in server/red_parse_qxl.*, improve primary surface + parameter checks in server/red_worker.c. + - CVE-2016-2150 + * Added two extra commits to previous security update: + - 0001-worker-validate-correctly-surfaces.patch + - 0002-worker-avoid-double-free-or-double-create-of-surface.patch + + -- Marc Deslauriers Fri, 10 Jun 2016 10:58:27 -0400 spice (0.12.4-0nocelt2ubuntu1.2) trusty-security; urgency=medium diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch spice-0.12.4/debian/patches/CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch 2016-06-10 14:57:35.000000000 +0000 @@ -0,0 +1,119 @@ +From dd558bb833254fb49069eca052b92ae1abe3e8ff Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 9 Sep 2015 12:42:09 +0100 +Subject: [PATCH 01/19] worker: validate correctly surfaces + +Do not just give warning and continue to use an invalid index into +an array. + +Resolves: CVE-2015-5260 + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau +--- + server/red_worker.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +Index: spice-0.12.4/server/red_worker.c +=================================================================== +--- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:57:33.397138268 -0400 ++++ spice-0.12.4/server/red_worker.c 2016-06-10 10:57:33.393138221 -0400 +@@ -1058,6 +1058,7 @@ + SpiceRect lossy_rect; + } BitmapData; + ++static inline int validate_surface(RedWorker *worker, uint32_t surface_id); + static void red_draw_qxl_drawable(RedWorker *worker, Drawable *drawable); + static void red_current_flush(RedWorker *worker, int surface_id); + #ifdef DRAW_ALL +@@ -1273,14 +1274,12 @@ + return FALSE; + } + +-static inline void __validate_surface(RedWorker *worker, uint32_t surface_id) +-{ +- spice_warn_if(surface_id >= worker->n_surfaces); +-} +- + static inline int validate_surface(RedWorker *worker, uint32_t surface_id) + { +- spice_warn_if(surface_id >= worker->n_surfaces); ++ if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) { ++ spice_warning("invalid surface_id %u", surface_id); ++ return 0; ++ } + if (!worker->surfaces[surface_id].context.canvas) { + spice_warning("canvas address is %p for %d (and is NULL)\n", + &(worker->surfaces[surface_id].context.canvas), surface_id); +@@ -4266,12 +4265,14 @@ + static inline void red_process_surface(RedWorker *worker, RedSurfaceCmd *surface, + uint32_t group_id, int loadvm) + { +- int surface_id; ++ uint32_t surface_id; + RedSurface *red_surface; + uint8_t *data; + + surface_id = surface->surface_id; +- __validate_surface(worker, surface_id); ++ if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) { ++ goto exit; ++ } + + red_surface = &worker->surfaces[surface_id]; + +@@ -4307,6 +4308,7 @@ + default: + spice_error("unknown surface command"); + }; ++exit: + red_put_surface_cmd(surface); + free(surface); + } +@@ -11150,7 +11152,7 @@ + { + RedWorker *worker = opaque; + RedWorkerMessageUpdate *msg = payload; +- SpiceRect *rect = spice_new0(SpiceRect, 1); ++ SpiceRect *rect; + RedSurface *surface; + uint32_t surface_id = msg->surface_id; + const QXLRect *qxl_area = msg->qxl_area; +@@ -11158,17 +11160,16 @@ + QXLRect *qxl_dirty_rects = msg->qxl_dirty_rects; + uint32_t clear_dirty_region = msg->clear_dirty_region; + ++ VALIDATE_SURFACE_RET(worker, surface_id); ++ ++ rect = spice_new0(SpiceRect, 1); + surface = &worker->surfaces[surface_id]; + red_get_rect_ptr(rect, qxl_area); + flush_display_commands(worker); + + spice_assert(worker->running); + +- if (validate_surface(worker, surface_id)) { +- red_update_area(worker, rect, surface_id); +- } else { +- rendering_incorrect(__func__); +- } ++ red_update_area(worker, rect, surface_id); + free(rect); + + surface_dirty_region_to_rects(surface, qxl_dirty_rects, num_dirty_rects, +@@ -11207,6 +11208,7 @@ + * surface_id == 0, maybe move the assert upward and merge the two functions? */ + static inline void destroy_surface_wait(RedWorker *worker, int surface_id) + { ++ VALIDATE_SURFACE_RET(worker, surface_id); + if (!worker->surfaces[surface_id].context.canvas) { + return; + } +@@ -11458,6 +11460,7 @@ + + static void dev_destroy_primary_surface(RedWorker *worker, uint32_t surface_id) + { ++ VALIDATE_SURFACE_RET(worker, surface_id); + spice_warn_if(surface_id != 0); + + spice_debug(NULL); diff -Nru spice-0.12.4/debian/patches/CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch spice-0.12.4/debian/patches/CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch --- spice-0.12.4/debian/patches/CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch 2016-06-10 14:57:40.000000000 +0000 @@ -0,0 +1,43 @@ +From 097c638b121e595d9daf79285c447088027a58e2 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 9 Sep 2015 12:45:06 +0100 +Subject: [PATCH 02/19] worker: avoid double free or double create of surfaces + +A driver can overwrite surface state creating a surface with the same +id of a previous one. +Also can try to destroy surfaces that are not created. +Both requests cause invalid internal states that could lead to crashes +or memory corruptions. + +Signed-off-by: Frediano Ziglio +--- + server/red_worker.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: spice-0.12.4/server/red_worker.c +=================================================================== +--- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:57:38.737200747 -0400 ++++ spice-0.12.4/server/red_worker.c 2016-06-10 10:57:38.733200700 -0400 +@@ -4282,6 +4282,10 @@ + int32_t stride = surface->u.surface_create.stride; + int reloaded_surface = loadvm || (surface->flags & QXL_SURF_FLAG_KEEP_DATA); + ++ if (red_surface->refs) { ++ spice_warning("avoiding creating a surface twice"); ++ break; ++ } + data = surface->u.surface_create.data; + if (stride < 0) { + data -= (int32_t)(stride * (height - 1)); +@@ -4295,7 +4299,10 @@ + break; + } + case QXL_SURFACE_CMD_DESTROY: +- spice_warn_if(!red_surface->context.canvas); ++ if (!red_surface->refs) { ++ spice_warning("avoiding destroying a surface twice"); ++ break; ++ } + set_surface_release_info(worker, surface_id, 0, surface->release_info, group_id); + red_handle_depends_on_target_surface(worker, surface_id); + /* note that red_handle_depends_on_target_surface must be called before red_current_clear. diff -Nru spice-0.12.4/debian/patches/CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch spice-0.12.4/debian/patches/CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch --- spice-0.12.4/debian/patches/CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 2016-05-29 06:26:05.000000000 +0000 @@ -0,0 +1,89 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau +Date: Thu, 17 Dec 2015 18:13:47 +0100 +Subject: [PATCH] smartcard: add a ref to item before adding to pipe + +There is an unref when the message is sent. + +==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffffffc630 sp 0x7fffffffc620 +READ of size 4 at 0x6008000144a8 thread T0 + #0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608 + #1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178 + #2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330 + #3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 + #4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 + #5 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 + #6 0x5555559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220 + #7 0x555555b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76 + #8 0x555555b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91 + #9 0x555555b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242 + #10 0x555555b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289 + #11 0x55555593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41 + #12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477 + #13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629 + #14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675 + #15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341 + #16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648 + #17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763 + #18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307 + #19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325 + #20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566 + #21 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 + #22 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 + #23 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 + #24 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 + #25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 + #26 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) +0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8) +freed by thread T0 here: + #0 0x7ffff4e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 + #1 0x7fffee0ce2a1 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:610 + #2 0x7fffee0cdd58 in smartcard_channel_release_pipe_item /home/elmarco/src/spice/spice/server/smartcard.c:548 + #3 0x7fffee000668 in red_channel_client_release_item /home/elmarco/src/spice/spice/server/red-channel.c:602 + #4 0x7fffee0006ef in red_channel_client_release_sent_item /home/elmarco/src/spice/spice/server/red-channel.c:609 + #5 0x7fffee0007b5 in red_channel_peer_on_out_msg_done /home/elmarco/src/spice/spice/server/red-channel.c:620 + #6 0x7fffedffed7e in red_peer_handle_outgoing /home/elmarco/src/spice/spice/server/red-channel.c:385 + #7 0x7fffee0057bb in red_channel_client_send /home/elmarco/src/spice/spice/server/red-channel.c:1294 + #8 0x7fffee0076e6 in red_channel_client_begin_send_message /home/elmarco/src/spice/spice/server/red-channel.c:1605 + #9 0x7fffee0cdccd in smartcard_channel_send_item /home/elmarco/src/spice/spice/server/smartcard.c:541 + #10 0x7fffee000570 in red_channel_client_send_item /home/elmarco/src/spice/spice/server/red-channel.c:588 + #11 0x7fffee005bfb in red_channel_client_push /home/elmarco/src/spice/spice/server/red-channel.c:1347 + #12 0x7fffee007ef7 in red_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/red-channel.c:1673 + #13 0x7fffee0cde4d in smartcard_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/smartcard.c:571 + #14 0x7fffee0cb567 in smartcard_send_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:187 + #15 0x7fffedfcdba2 in spice_char_device_send_msg_to_clients /home/elmarco/src/spice/spice/server/char-device.c:282 + #16 0x7fffedfcdea4 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:329 + #17 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 + #18 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 + #19 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 + +Signed-off-by: Marc-Andre Lureau +--- + server/smartcard.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index aad22aa..8d529fe 100644 +--- a/server/smartcard.c ++++ b/server/smartcard.c +@@ -172,14 +172,17 @@ static void smartcard_unref_msg_to_client(SpiceCharDeviceMsgToClient *msg, + smartcard_unref_vsc_msg_item((MsgItem *)msg); + } + +-static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *msg, ++static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *message, + RedClient *client, + void *opaque) + { + SmartCardDeviceState *dev = opaque; +- spice_assert(dev->scc && dev->scc->base.client == client); +- smartcard_channel_client_pipe_add_push(&dev->scc->base, &((MsgItem *)msg)->base); ++ MsgItem *msg = (MsgItem *)message; ++ PipeItem *item = &msg->base; + ++ spice_assert(dev->scc && dev->scc->base.client == client); ++ smartcard_ref_vsc_msg_item(msg); ++ smartcard_channel_client_pipe_add_push(&dev->scc->base, item); + } + + static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) diff -Nru spice-0.12.4/debian/patches/CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch spice-0.12.4/debian/patches/CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch --- spice-0.12.4/debian/patches/CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch 2016-05-29 06:26:05.000000000 +0000 @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau +Date: Thu, 17 Dec 2015 18:16:22 +0100 +Subject: [PATCH] smartcard: allocate msg with the expected size + +==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0 +WRITE of size 4 at 0x60040009c098 thread T0 + #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 + #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 + #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 + #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 + #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 + #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 + #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 + #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 + #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 + #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 + #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 + #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) +0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098) +allocated by thread T0 here: + #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92 + #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123 + #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516 + #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557 + #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325 + #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 + #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 + #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 + #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 + #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 + #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 +SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add + +Signed-off-by: Marc-Andre Lureau +--- + server/smartcard.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index 8d529fe..3043ad1 100644 +--- a/server/smartcard.c ++++ b/server/smartcard.c +@@ -325,7 +325,7 @@ static void smartcard_char_device_notify_reader_add(SmartCardDeviceState *st) + SpiceCharDeviceWriteBuffer *write_buf; + VSCMsgHeader *vheader; + +- write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); ++ write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); + if (!write_buf) { + spice_error("failed to allocate write buffer"); + return; +@@ -372,7 +372,7 @@ static void smartcard_char_device_notify_reader_remove(SmartCardDeviceState *st) + spice_debug("reader add was never sent to the device"); + return; + } +- write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); ++ write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); + if (!write_buf) { + spice_error("failed to allocate write buffer"); + return; diff -Nru spice-0.12.4/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch spice-0.12.4/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch --- spice-0.12.4/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 2016-06-10 14:58:20.000000000 +0000 @@ -0,0 +1,121 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 29 Feb 2016 14:24:03 +0000 +Subject: [PATCH] create a function to validate surface parameters + +Make possible to reuse it outside red-parse-qxl.c + +Signed-off-by: Frediano Ziglio +--- + server/red_parse_qxl.c | 50 ++++++++++++++++++++++++++++++++------------------ + server/red_parse_qxl.h | 5 +++++ + 2 files changed, 37 insertions(+), 18 deletions(-) + +Index: spice-0.12.4/server/red_parse_qxl.c +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.c 2016-06-10 10:58:19.481677377 -0400 ++++ spice-0.12.4/server/red_parse_qxl.c 2016-06-10 10:58:19.477677331 -0400 +@@ -19,7 +19,6 @@ + #include + #endif + +-#include + #include + #include + #include "common/lz_common.h" +@@ -1306,13 +1305,41 @@ + return 0; + } + ++bool red_validate_surface(uint32_t width, uint32_t height, ++ int32_t stride, uint32_t format) ++{ ++ unsigned int bpp; ++ uint64_t size; ++ ++ bpp = surface_format_to_bpp(format); ++ ++ /* check if format is valid */ ++ if (!bpp) { ++ return false; ++ } ++ ++ /* check stride is larger than required bytes */ ++ size = ((uint64_t) width * bpp + 7u) / 8u; ++ /* the uint32_t conversion is here to avoid problems with -2^31 value */ ++ if (stride == G_MININT32 || size > (uint32_t) abs(stride)) { ++ return false; ++ } ++ ++ /* the multiplication can overflow, also abs(-2^31) may return a negative value */ ++ size = (uint64_t) height * abs(stride); ++ if (size > MAX_DATA_CHUNK) { ++ return false; ++ } ++ ++ return true; ++} ++ + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, + RedSurfaceCmd *red, QXLPHYSICAL addr) + { + QXLSurfaceCmd *qxl; + uint64_t size; + int error; +- unsigned int bpp; + + qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, + &error); +@@ -1331,26 +1358,13 @@ + red->u.surface_create.width = qxl->u.surface_create.width; + red->u.surface_create.height = qxl->u.surface_create.height; + red->u.surface_create.stride = qxl->u.surface_create.stride; +- bpp = surface_format_to_bpp(red->u.surface_create.format); + +- /* check if format is valid */ +- if (!bpp) { ++ if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height, ++ red->u.surface_create.stride, red->u.surface_create.format)) { + return 1; + } + +- /* check stride is larger than required bytes */ +- size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; +- /* the uint32_t conversion is here to avoid problems with -2^31 value */ +- if (red->u.surface_create.stride == G_MININT32 +- || size > (uint32_t) abs(red->u.surface_create.stride)) { +- return 1; +- } +- +- /* the multiplication can overflow, also abs(-2^31) may return a negative value */ +- size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); +- if (size > MAX_DATA_CHUNK) { +- return 1; +- } ++ size = red->u.surface_create.height * abs(red->u.surface_create.stride); + red->u.surface_create.data = + (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); + if (error) { +Index: spice-0.12.4/server/red_parse_qxl.h +=================================================================== +--- spice-0.12.4.orig/server/red_parse_qxl.h 2016-06-10 10:58:19.481677377 -0400 ++++ spice-0.12.4/server/red_parse_qxl.h 2016-06-10 10:58:19.477677331 -0400 +@@ -19,6 +19,8 @@ + #ifndef RED_ABI_TRANSLATE_H + #define RED_ABI_TRANSLATE_H + ++#include ++ + #include + #include "red_common.h" + #include "red_memslots.h" +@@ -128,6 +130,9 @@ + RedMessage *red, QXLPHYSICAL addr); + void red_put_message(RedMessage *red); + ++bool red_validate_surface(uint32_t width, uint32_t height, ++ int32_t stride, uint32_t format); ++ + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, + RedSurfaceCmd *red, QXLPHYSICAL addr); + void red_put_surface_cmd(RedSurfaceCmd *red); diff -Nru spice-0.12.4/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch spice-0.12.4/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch --- spice-0.12.4/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.4/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 2016-06-10 14:58:23.000000000 +0000 @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 29 Feb 2016 14:34:49 +0000 +Subject: [PATCH] improve primary surface parameter checks + +Primary surface, as additional surfaces, can be used to access +host memory from the guest using invalid parameters. + +Signed-off-by: Frediano Ziglio +--- + server/red_worker.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: spice-0.12.4/server/red_worker.c +=================================================================== +--- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:58:22.081707787 -0400 ++++ spice-0.12.4/server/red_worker.c 2016-06-10 10:58:22.077707741 -0400 +@@ -11426,6 +11426,15 @@ + spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) != + abs(surface.stride) * surface.height); + ++ /* surface can arrive from guest unchecked so make sure ++ * guest is not a malicious one and drop invalid requests ++ */ ++ if (!red_validate_surface(surface.width, surface.height, ++ surface.stride, surface.format)) { ++ spice_warning("wrong primary surface creation request"); ++ return; ++ } ++ + line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem, + surface.height * abs(surface.stride), + surface.group_id, &error); diff -Nru spice-0.12.4/debian/patches/series spice-0.12.4/debian/patches/series --- spice-0.12.4/debian/patches/series 2015-10-01 11:37:20.000000000 +0000 +++ spice-0.12.4/debian/patches/series 2016-06-10 14:56:54.000000000 +0000 @@ -4,6 +4,8 @@ enable_subdir-objects.patch fix-buffer-overflow-when-decrypting-client-spice-ticket.patch CVE-2015-3247.patch +CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch +CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch @@ -21,3 +23,7 @@ CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch +CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch +CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch +CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch +CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch