Bug 1452606 (CVE-2017-7506) - CVE-2017-7506 spice: Possible buffer overflow via invalid monitor configurations
Summary: CVE-2017-7506 spice: Possible buffer overflow via invalid monitor configurations
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170711,repo...
Depends On: 1456646 1456647 1467533 1467534 1469376 1469377 1469378 1481885 1481886 1533710
Blocks: 1452607
TreeView+ depends on / blocked
 
Reported: 2017-05-19 10:30 UTC by Adam Mariš
Modified: 2019-06-08 22:01 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in spice server's protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses, leading to parts of server memory being leaked or a crash.
Clone Of:
Environment:
Last Closed: 2018-11-08 07:17:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2471 normal SHIPPED_LIVE Important: spice security update 2017-08-15 07:49:20 UTC
Red Hat Product Errata RHSA-2018:3522 None None None 2018-11-07 23:01:04 UTC

Description Adam Mariš 2017-05-19 10:30:32 UTC
For authenticated client it is possible to cause buffer overflow via sending invalid monitor configurations.

Proposed patch:

https://bugzilla.redhat.com/attachment.cgi?id=1279035

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1451021

Comment 1 Adam Mariš 2017-05-19 10:30:46 UTC
Acknowledgments:

Name: Frediano Ziglio (Red Hat)

Comment 3 Frediano Ziglio 2017-05-25 08:02:59 UTC
Yes, there are mainly 2 issues:
1) number of monitors bigger than the number of items. This will lead some copy from host to client (the number is capped to 64 by Qemu). This is similar to heartbleed bug;
2) integer overflow of buffer_size. If you get a negative number this will probably cause realloc to return NULL and the VM will be closed with an abort. Using very large buffer (>2GB, you are copying from guest to host, not impossible) you can cause the integer overflow to leap and the memcpy will do a big copy. You can control the content of this big copy but how you can avoid a crash and use this overflow is behind my knowledge but maybe you can use different leap and knowing the realloc implementation avoid too big overflows.

Comment 17 Doran Moppert 2017-07-11 07:09:22 UTC
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1469377]

Comment 25 errata-xmlrpc 2017-08-15 03:50:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2471 https://access.redhat.com/errata/RHSA-2017:2471

Comment 30 errata-xmlrpc 2018-11-07 23:00:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3522 https://access.redhat.com/errata/RHSA-2018:3522


Note You need to log in before you can comment on or make changes to this bug.