Bug 1230118

Summary: Possible security escalation in spice-server
Product: Red Hat Enterprise Linux 7 Reporter: Frediano Ziglio <fziglio>
Component: spiceAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED DUPLICATE QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: astepano, bsanford, cfergeau, fidencio, security-response-team, uril, vkaigoro
Target Milestone: rcKeywords: Security
Target Release: 7.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-07 14:23:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1233238    
Attachments:
Description Flags
proposed patch none

Description Frediano Ziglio 2015-06-10 09:40:13 UTC 
Description of problem:
Function worker_update_monitors_config in spice-server contains a race condition which can be exploited as a heap corruption from the guest


Version-Release number of selected component (if applicable):
All

How reproducible:
Send a monitor configs with small monitors than increse monitor numbers from another cpu inside the guest

Steps to Reproduce:
Got no reproduction but is easy to prove the possible memory corruption.


Actual results:
Memory corruption.


Expected results:
No memory corruption.


Additional info:
Agreed by spice team this is a security risk.
Comment 1 Frediano Ziglio 2015-06-10 09:41:27 UTC 
Created attachment 1037193 [details]
proposed patch
Comment 3 Uri Lublin 2015-06-10 15:42:05 UTC 
Also, the patch protects memory access by calling get_virt the second
time to protect access to 'count' heads (instead of a single head before).
Comment 9 Christophe Fergeau 2015-07-23 19:34:10 UTC 
I guess this bug could be marked as a duplicate of rhbz#1239128 ?
Comment 10 Stefan Cornelius 2015-09-07 14:23:36 UTC 

*** This bug has been marked as a duplicate of bug 1233238 ***