Bug 1260822 (CVE-2015-5260) - CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
Summary: CVE-2015-5260 spice: insufficient validation of surface_id parameter can caus...
Alias: CVE-2015-5260
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1259783 1260908 1260971 1262769 1262770 1262771 1272346
Blocks: 1260823
TreeView+ depends on / blocked
Reported: 2015-09-08 00:52 UTC by Summer Long
Modified: 2021-02-17 04:56 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
Clone Of:
Last Closed: 2015-10-15 18:40:36 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1889 0 normal SHIPPED_LIVE Important: spice-server security update 2015-10-12 23:07:08 UTC
Red Hat Product Errata RHSA-2015:1890 0 normal SHIPPED_LIVE Important: spice security update 2015-10-13 00:20:55 UTC

Description Summer Long 2015-09-08 00:52:17 UTC
surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.

Comment 1 Martin Prpič 2015-09-08 08:00:41 UTC
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260908]

Comment 10 Martin Prpič 2015-10-06 08:26:55 UTC

This issue was discovered by Frediano Ziglio of Red Hat.

Comment 11 errata-xmlrpc 2015-10-12 19:08:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html

Comment 12 errata-xmlrpc 2015-10-12 20:21:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html

Note You need to log in before you can comment on or make changes to this bug.