Control: tags 797976 + pending Dear maintainer,
I've prepared an NMU for spice (versioned as 0.12.5-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru spice-0.12.5/debian/changelog spice-0.12.5/debian/changelog
--- spice-0.12.5/debian/changelog 2015-08-14 09:29:46.000000000 +0200
+++ spice-0.12.5/debian/changelog 2015-09-05 05:52:55.000000000 +0200
@@ -1,3 +1,12 @@
+spice (0.12.5-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add CVE-2015-3247.patch patch.
+ CVE-2015-3247: Memory corruption in worker_update_monitors_config().
+ (Closes: #797976)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 05 Sep 2015 05:51:01 +0200
+
spice (0.12.5-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru spice-0.12.5/debian/patches/CVE-2015-3247.patch spice-0.12.5/debian/patches/CVE-2015-3247.patch
--- spice-0.12.5/debian/patches/CVE-2015-3247.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-0.12.5/debian/patches/CVE-2015-3247.patch 2015-09-05 05:52:55.000000000 +0200
@@ -0,0 +1,115 @@
+From 524eef10c6c6c2f3f30be28c56b8f96adc7901f0 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fzig...@redhat.com>
+Date: Tue, 9 Jun 2015 08:50:46 +0100
+Subject: [PATCH] Avoid race conditions reading monitor configs from guest
+
+For security reasons do not assume guest do not change structures it
+pass to Qemu.
+Guest could change count field while Qemu is copying QXLMonitorsConfig
+structure leading to heap corruption.
+This patch avoid it reading count only once.
+
+Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
+---
+ server/red_worker.c | 46 ++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 32 insertions(+), 14 deletions(-)
+
+--- a/server/red_worker.c
++++ b/server/red_worker.c
+@@ -11051,7 +11051,8 @@ static inline void red_monitors_config_i
+ }
+
+ static void worker_update_monitors_config(RedWorker *worker,
+- QXLMonitorsConfig *dev_monitors_config)
++ QXLMonitorsConfig *dev_monitors_config,
++ uint16_t count, uint16_t max_allowed)
+ {
+ int heads_size;
+ MonitorsConfig *monitors_config;
+@@ -11060,22 +11061,22 @@ static void worker_update_monitors_confi
+ monitors_config_decref(worker->monitors_config);
+
+ spice_debug("monitors config %d(%d)",
+- dev_monitors_config->count,
+- dev_monitors_config->max_allowed);
+- for (i = 0; i < dev_monitors_config->count; i++) {
++ count,
++ max_allowed);
++ for (i = 0; i < count; i++) {
+ spice_debug("+%d+%d %dx%d",
+ dev_monitors_config->heads[i].x,
+ dev_monitors_config->heads[i].y,
+ dev_monitors_config->heads[i].width,
+ dev_monitors_config->heads[i].height);
+ }
+- heads_size = dev_monitors_config->count * sizeof(QXLHead);
++ heads_size = count * sizeof(QXLHead);
+ worker->monitors_config = monitors_config =
+ spice_malloc(sizeof(*monitors_config) + heads_size);
+ monitors_config->refs = 1;
+ monitors_config->worker = worker;
+- monitors_config->count = dev_monitors_config->count;
+- monitors_config->max_allowed = dev_monitors_config->max_allowed;
++ monitors_config->count = count;
++ monitors_config->max_allowed = max_allowed;
+ memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size);
+ }
+
+@@ -11459,33 +11460,50 @@ void handle_dev_display_migrate(void *op
+ red_migrate_display(worker, rcc);
+ }
+
++static inline uint32_t qxl_monitors_config_size(uint32_t heads)
++{
++ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads;
++}
++
+ static void handle_dev_monitors_config_async(void *opaque, void *payload)
+ {
+ RedWorkerMessageMonitorsConfigAsync *msg = payload;
+ RedWorker *worker = opaque;
+- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead);
+ int error;
++ uint16_t count, max_allowed;
+ QXLMonitorsConfig *dev_monitors_config =
+ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
+- min_size, msg->group_id, &error);
++ qxl_monitors_config_size(1),
++ msg->group_id, &error);
+
+ if (error) {
+ /* TODO: raise guest bug (requires added QXL interface) */
+ return;
+ }
+ worker->driver_cap_monitors_config = 1;
+- if (dev_monitors_config->count == 0) {
++ count = dev_monitors_config->count;
++ max_allowed = dev_monitors_config->max_allowed;
++ if (count == 0) {
+ spice_warning("ignoring an empty monitors config message from driver");
+ return;
+ }
+- if (dev_monitors_config->count > dev_monitors_config->max_allowed) {
++ if (count > max_allowed) {
+ spice_warning("ignoring malformed monitors_config from driver, "
+ "count > max_allowed %d > %d",
+- dev_monitors_config->count,
+- dev_monitors_config->max_allowed);
++ count,
++ max_allowed);
++ return;
++ }
++ /* get pointer again to check virtual size */
++ dev_monitors_config =
++ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
++ qxl_monitors_config_size(count),
++ msg->group_id, &error);
++ if (error) {
++ /* TODO: raise guest bug (requires added QXL interface) */
+ return;
+ }
+- worker_update_monitors_config(worker, dev_monitors_config);
++ worker_update_monitors_config(worker, dev_monitors_config, count, max_allowed);
+ red_worker_push_monitors_config(worker);
+ }
+
diff -Nru spice-0.12.5/debian/patches/series spice-0.12.5/debian/patches/series
--- spice-0.12.5/debian/patches/series 2014-05-23 16:46:36.000000000 +0200
+++ spice-0.12.5/debian/patches/series 2015-09-05 05:52:55.000000000 +0200
@@ -1 +1,2 @@
fix-tests-warnings.patch
+CVE-2015-3247.patch
signature.asc
Description: Digital signature
