[Qemu-commits] [qemu/qemu] efec4d: vnc: fix memory corruption (CVE-2015-

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] efec4d: vnc: fix memory corruption (CVE-2015-

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] efec4d: vnc: fix memory corruption (CVE-2015-5225)
Date:	Tue, 22 Sep 2015 16:30:03 -0700

  Branch: refs/heads/stable-2.4
  Home:   https://github.com/qemu/qemu
  Commit: efec4dcd2552e85ed57f276b58f09fc385727450
      
https://github.com/qemu/qemu/commit/efec4dcd2552e85ed57f276b58f09fc385727450
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M ui/vnc.c

  Log Message:
  -----------
  vnc: fix memory corruption (CVE-2015-5225)

The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) <address@hidden>
Reviewed-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b
      
https://github.com/qemu/qemu/commit/3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b
  Author: P J P <address@hidden>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M hw/net/e1000.c

  Log Message:
  -----------
  e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Message-id: address@hidden
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755
      
https://github.com/qemu/qemu/commit/7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755
  Author: P J P <address@hidden>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M hw/net/ne2000.c

  Log Message:
  -----------
  net: add checks to validate ring buffer pointers(CVE-2015-5279)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 5a1ccdfe44946e726b4c6fda8a4493b3931a68c1
      
https://github.com/qemu/qemu/commit/5a1ccdfe44946e726b4c6fda8a4493b3931a68c1
  Author: P J P <address@hidden>
  Date:   2015-09-21 (Mon, 21 Sep 2015)

  Changed paths:
    M hw/net/ne2000.c

  Log Message:
  -----------
  net: avoid infinite loop when receiving packets(CVE-2015-5278)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
Signed-off-by: Michael Roth <address@hidden>


  Commit: 83c92b45140be773f0c5545dddea35a89db1ad03
      
https://github.com/qemu/qemu/commit/83c92b45140be773f0c5545dddea35a89db1ad03
  Author: Michael Roth <address@hidden>
  Date:   2015-09-22 (Tue, 22 Sep 2015)

  Changed paths:
    M VERSION

  Log Message:
  -----------
  Update version for 2.4.0.1 release

Signed-off-by: Michael Roth <address@hidden>


Compare: https://github.com/qemu/qemu/compare/efec4dcd2552^...83c92b45140b

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] efec4d: vnc: fix memory corruption (CVE-2015-5225), GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] d4517d: ipxe: update from 35c53797 to 4e03af8
Next by Date: [Qemu-commits] [qemu/qemu]
Previous by thread: [Qemu-commits] [qemu/qemu] d4517d: ipxe: update from 35c53797 to 4e03af8
Next by thread: [Qemu-commits] [qemu/qemu]
Index(es):
- Date
- Thread