Bug 1261889 (CVE-2015-5261)

Summary: CVE-2015-5261 spice: host memory access from guest using crafted images
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, cfergeau, dblechte, fziglio, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-15 17:34:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1259773, 1262769, 1262770, 1262771, 1267134    
Bug Blocks: 1260823    

Description Martin Prpič 2015-09-10 11:58:24 UTC 
The following flaw was reported in spice:

It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb.
The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb.
Comment 6 Martin Prpič 2015-10-06 08:27:00 UTC 
Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 10 errata-xmlrpc 2015-10-12 19:08:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
Comment 11 errata-xmlrpc 2015-10-12 20:21:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html