Bug 1452606 (CVE-2017-7506)

Summary: CVE-2017-7506 spice: Possible buffer overflow via invalid monitor configurations
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alexl, alon, amaris, bmcclain, cfergeau, christianity.webb, dblechte, dmoppert, dougsland, eedri, fziglio, hdegoede, jforbes, lsurette, marcandre.lureau, mgoldboi, michal.skrivanek, mkenneth, pstehlik, Rhev-m-bugs, rh-spice-bugs, sandmann, sbonazzo, security-response-team, srevivo, uril, virt-maint, ycui, ykaul, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in spice server's protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses, leading to parts of server memory being leaked or a crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-08 07:17:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1456646, 1456647, 1467533, 1467534, 1469376, 1469377, 1469378, 1481885, 1481886, 1533710    
Bug Blocks: 1452607    

Description Adam Mariš 2017-05-19 10:30:32 UTC 
For authenticated client it is possible to cause buffer overflow via sending invalid monitor configurations.

Proposed patch:

https://bugzilla.redhat.com/attachment.cgi?id=1279035

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1451021
Comment 1 Adam Mariš 2017-05-19 10:30:46 UTC 
Acknowledgments:

Name: Frediano Ziglio (Red Hat)
Comment 3 Frediano Ziglio 2017-05-25 08:02:59 UTC 
Yes, there are mainly 2 issues:
1) number of monitors bigger than the number of items. This will lead some copy from host to client (the number is capped to 64 by Qemu). This is similar to heartbleed bug;
2) integer overflow of buffer_size. If you get a negative number this will probably cause realloc to return NULL and the VM will be closed with an abort. Using very large buffer (>2GB, you are copying from guest to host, not impossible) you can cause the integer overflow to leap and the memcpy will do a big copy. You can control the content of this big copy but how you can avoid a crash and use this overflow is behind my knowledge but maybe you can use different leap and knowing the realloc implementation avoid too big overflows.
Comment 17 Doran Moppert 2017-07-11 07:09:22 UTC 
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1469377]
Comment 25 errata-xmlrpc 2017-08-15 03:50:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2471 https://access.redhat.com/errata/RHSA-2017:2471
Comment 30 errata-xmlrpc 2018-11-07 23:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3522 https://access.redhat.com/errata/RHSA-2018:3522