Bug 1240165 - Integer overflows causing buffer overflows in spice-client
Summary: Integer overflows causing buffer overflows in spice-client
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: spice-gtk
Version: 7.3
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: rc
: 7.3
Assignee: Red Hat Product Security
QA Contact: SPICE QE bug list
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-06 06:09 UTC by Frediano Ziglio
Modified: 2018-10-15 08:33 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-15 08:33:27 UTC
Target Upstream Version:
fziglio: needinfo+


Attachments (Terms of Use)
demonstration of the issue (2.74 KB, text/plain)
2015-07-06 06:10 UTC, Frediano Ziglio
no flags Details
Fix integer overflows for buffer size computations (9.32 KB, patch)
2015-07-06 06:11 UTC, Frediano Ziglio
no flags Details | Diff
Fix integer overflows for images size computations (3.61 KB, patch)
2015-07-06 06:12 UTC, Frediano Ziglio
no flags Details | Diff
Updated patch (3.63 KB, patch)
2017-10-03 11:50 UTC, Frediano Ziglio
no flags Details | Diff
Fix integer overflows computing sizes (9.34 KB, patch)
2017-10-03 11:51 UTC, Frediano Ziglio
no flags Details | Diff
Avoid integer overflow computing image sizes (3.62 KB, patch)
2017-10-03 11:51 UTC, Frediano Ziglio
no flags Details | Diff

Description Frediano Ziglio 2015-07-06 06:09:07 UTC
Description of problem:
Is possible to craft spice messages that using integer overflows cause buffer overflows.
Messages in spice protocols contains pointers (offset from message start) and lengths. Is possible to cause an overflow making code (actually it seems only client due to protocol details) allocate small buffers but use large memory.
I'll attach a demonstration program and 2 patches to solve the issue.


Version-Release number of selected component (if applicable):
Any


How reproducible:
I wrote a small test program (attached) to test the issue.


Steps to Reproduce:
1. just compile and run the program attached to demonstrate the issue


Actual results:
Crash on client due to buffer overflow.


Expected results:
Detect as invalid messages, optional give feedback, close correctly the program


Additional info:

Comment 1 Frediano Ziglio 2015-07-06 06:10:44 UTC
Created attachment 1048670 [details]
demonstration of the issue

Comment 2 Frediano Ziglio 2015-07-06 06:11:28 UTC
Created attachment 1048671 [details]
Fix integer overflows for buffer size computations

Comment 3 Frediano Ziglio 2015-07-06 06:12:04 UTC
Created attachment 1048672 [details]
Fix integer overflows for images size computations

Comment 8 Frediano Ziglio 2017-10-03 11:50:13 UTC
Created attachment 1333612 [details]
Updated patch

Comment 9 Frediano Ziglio 2017-10-03 11:51:15 UTC
Created attachment 1333613 [details]
Fix integer overflows computing sizes

Comment 10 Frediano Ziglio 2017-10-03 11:51:59 UTC
Created attachment 1333614 [details]
Avoid integer overflow computing image sizes

Comment 21 Frediano Ziglio 2018-05-12 21:42:58 UTC
Patches merged in master, commits a69fb1ec3425baf0a6dadced29669f4b708da923 and 617be0f74b88ce53d84d417c00696b8c1630b6ec.


Note You need to log in before you can comment on or make changes to this bug.