Bug 1240165

Summary: Integer overflows causing buffer overflows in spice-client
Product: Red Hat Enterprise Linux 7 Reporter: Frediano Ziglio <fziglio>
Component: spice-gtkAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: carnil, cfergeau, cperry, fziglio, marcandre.lureau, security-response-team, uril
Target Milestone: rcKeywords: Security
Target Release: 7.3Flags: fziglio: needinfo+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-15 08:33:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
demonstration of the issue
none
Fix integer overflows for buffer size computations
none
Fix integer overflows for images size computations
none
Updated patch
none
Fix integer overflows computing sizes
none
Avoid integer overflow computing image sizes none

Description Frediano Ziglio 2015-07-06 06:09:07 UTC 
Description of problem:
Is possible to craft spice messages that using integer overflows cause buffer overflows.
Messages in spice protocols contains pointers (offset from message start) and lengths. Is possible to cause an overflow making code (actually it seems only client due to protocol details) allocate small buffers but use large memory.
I'll attach a demonstration program and 2 patches to solve the issue.


Version-Release number of selected component (if applicable):
Any


How reproducible:
I wrote a small test program (attached) to test the issue.


Steps to Reproduce:
1. just compile and run the program attached to demonstrate the issue


Actual results:
Crash on client due to buffer overflow.


Expected results:
Detect as invalid messages, optional give feedback, close correctly the program


Additional info:
Comment 1 Frediano Ziglio 2015-07-06 06:10:44 UTC 
Created attachment 1048670 [details]
demonstration of the issue
Comment 2 Frediano Ziglio 2015-07-06 06:11:28 UTC 
Created attachment 1048671 [details]
Fix integer overflows for buffer size computations
Comment 3 Frediano Ziglio 2015-07-06 06:12:04 UTC 
Created attachment 1048672 [details]
Fix integer overflows for images size computations
Comment 8 Frediano Ziglio 2017-10-03 11:50:13 UTC 
Created attachment 1333612 [details]
Updated patch
Comment 9 Frediano Ziglio 2017-10-03 11:51:15 UTC 
Created attachment 1333613 [details]
Fix integer overflows computing sizes
Comment 10 Frediano Ziglio 2017-10-03 11:51:59 UTC 
Created attachment 1333614 [details]
Avoid integer overflow computing image sizes
Comment 21 Frediano Ziglio 2018-05-12 21:42:58 UTC 
Patches merged in master, commits a69fb1ec3425baf0a6dadced29669f4b708da923 and 617be0f74b88ce53d84d417c00696b8c1630b6ec.