For authenticated client it is possible to cause buffer overflow via sending invalid monitor configurations. Proposed patch: https://bugzilla.redhat.com/attachment.cgi?id=1279035 Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1451021
Acknowledgments: Name: Frediano Ziglio (Red Hat)
Yes, there are mainly 2 issues: 1) number of monitors bigger than the number of items. This will lead some copy from host to client (the number is capped to 64 by Qemu). This is similar to heartbleed bug; 2) integer overflow of buffer_size. If you get a negative number this will probably cause realloc to return NULL and the VM will be closed with an abort. Using very large buffer (>2GB, you are copying from guest to host, not impossible) you can cause the integer overflow to leap and the memcpy will do a big copy. You can control the content of this big copy but how you can avoid a crash and use this overflow is behind my knowledge but maybe you can use different leap and knowing the realloc implementation avoid too big overflows.
Created spice tracking bugs for this issue: Affects: fedora-all [bug 1469377]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2471 https://access.redhat.com/errata/RHSA-2017:2471
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3522 https://access.redhat.com/errata/RHSA-2018:3522