Bug 1260822 (CVE-2015-5260)

Summary: CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexl, alon, carnil, cfergeau, dblechte, fziglio, hdegoede, jforbes, marcandre.lureau, rh-spice-bugs, sandmann, security-response-team, uril, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-15 18:40:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1259783, 1260908, 1260971, 1262769, 1262770, 1262771, 1272346    
Bug Blocks: 1260823    

Description Summer Long 2015-09-08 00:52:17 UTC 
surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.
Comment 1 Martin Prpič 2015-09-08 08:00:41 UTC 
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260908]
Comment 10 Martin Prpič 2015-10-06 08:26:55 UTC 
Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 11 errata-xmlrpc 2015-10-12 19:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
Comment 12 errata-xmlrpc 2015-10-12 20:21:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html