[Qemu-commits] [qemu/qemu] 64ffbe: hmp: fix sendkey out of bounds write (CVE-2015-861...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 64ffbe04eaafebf4045a3ace52a360c14959d196
      
https://github.com/qemu/qemu/commit/64ffbe04eaafebf4045a3ace52a360c14959d196
  Author: Wolfgang Bumiller <address@hidden>
  Date:   2016-02-03 (Wed, 03 Feb 2016)

  Changed paths:
    M hmp.c
    M include/ui/console.h
    M ui/input-legacy.c

  Log Message:
  -----------
  hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.

Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.

Reported-by: Ling Liu <address@hidden>
Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-Id: <address@hidden>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <address@hidden>


  Commit: ad9e1dab20253441716b769500d4c63bc39b0d51
      
https://github.com/qemu/qemu/commit/ad9e1dab20253441716b769500d4c63bc39b0d51
  Author: Peter Maydell <address@hidden>
  Date:   2016-02-03 (Wed, 03 Feb 2016)

  Changed paths:
    M hmp.c
    M include/ui/console.h
    M ui/input-legacy.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2016-02-03' 
into staging

Monitor patches for 2016-02-03

# gpg: Signature made Wed 03 Feb 2016 09:13:48 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <address@hidden>"
# gpg:                 aka "Markus Armbruster <address@hidden>"

* remotes/armbru/tags/pull-monitor-2016-02-03:
  hmp: fix sendkey out of bounds write (CVE-2015-8619)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/c65db7705b79...ad9e1dab2025