[Qemu-stable] [PATCH 33/55] io: monitor encoutput buffer size from webso

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 33/55] io: monitor encoutput buffer size from webso

From:	Michael Roth
Subject:	[Qemu-stable] [PATCH 33/55] io: monitor encoutput buffer size from websocket GSource
Date:	Wed, 6 Dec 2017 13:16:26 -0600

From: "Daniel P. Berrange" <address@hidden>

The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.

This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.

This issue is assigned CVE-2017-15268, publically reported in

  https://bugs.launchpad.net/qemu/+bug/1718964

(cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493)

Reviewed-by: Eric Blake <address@hidden>

[Dan: Added extra checks to deal with code refactored in master but
 not stable 2.10]

Signed-off-by: Daniel P. Berrange <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
---
 io/channel-websock.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/io/channel-websock.c b/io/channel-websock.c
index 5a3badbec2..19116dc148 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
 #include "trace.h"
 
 
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
 #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
 
 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
 
@@ -1022,7 +1022,7 @@ qio_channel_websock_source_check(GSource *source)
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
 
@@ -1041,7 +1041,7 @@ qio_channel_websock_source_dispatch(GSource *source,
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
 
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH 01/55] hw/ppc: CAS reset on early device hotplug, (continued)
- [Qemu-stable] [PATCH 01/55] hw/ppc: CAS reset on early device hotplug, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 22/55] memory: trace FlatView creation and destruction, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 23/55] memory: seek FlatView sharing candidates among children subregions, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 26/55] exec: simplify address_space_get_iotlb_entry, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 25/55] exec: add page_mask for flatview_do_translate, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 28/55] hw/sd: fix out-of-bounds check for multi block reads, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 30/55] qcow2: Always execute preallocate() in a coroutine, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 27/55] memory: fix off-by-one error in memory_region_notify_one(), Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 29/55] qcow2: Fix unaligned preallocated truncation, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 24/55] memory: Share special empty FlatView, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 33/55] io: monitor encoutput buffer size from websocket GSource, Michael Roth <=
- [Qemu-stable] [PATCH 02/55] hw/usb/bus: Remove bad object_unparent() from usb_try_create_simple(), Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 32/55] nios2: define tcg_env, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 36/55] hw/intc/arm_gicv3_its: Don't abort on table save failure, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 34/55] ppc: fix setting of compat mode, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 35/55] translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 37/55] net/socket: fix coverity issue, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 31/55] iotests: Add cluster_size=64k to 125, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 03/55] block/mirror: check backing in bdrv_mirror_top_flush, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 40/55] util/stats64: Fix min/max comparisons, Michael Roth, 2017/12/06
- [Qemu-stable] [PATCH 42/55] vhost: restore avail index from vring used index on disconnection, Michael Roth, 2017/12/06

Prev by Date: [Qemu-stable] [PATCH 24/55] memory: Share special empty FlatView
Next by Date: [Qemu-stable] [PATCH 02/55] hw/usb/bus: Remove bad object_unparent() from usb_try_create_simple()
Previous by thread: [Qemu-stable] [PATCH 24/55] memory: Share special empty FlatView
Next by thread: [Qemu-stable] [PATCH 02/55] hw/usb/bus: Remove bad object_unparent() from usb_try_create_simple()
Index(es):
- Date
- Thread