Bug 2254825 (CVE-2023-6683) - CVE-2023-6683 QEMU: VNC: NULL pointer dereference in qemu_clipboard_request()
Summary: CVE-2023-6683 QEMU: VNC: NULL pointer dereference in qemu_clipboard_request()
Keywords:
Status: NEW
Alias: CVE-2023-6683
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2258118
Blocks: 2254016
TreeView+ depends on / blocked
 
Reported: 2023-12-16 17:33 UTC by Mauro Matteo Cascella
Modified: 2024-04-08 06:57 UTC (History)
13 users (show)

Fixed In Version: qemu-kvm 9.0.0
Doc Type: ---
Doc Text:
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-12-16 17:33:41 UTC
It can be that a client sends a VNC_MSG_CLIENT_CUT_TEXT message before sending a VNC_MSG_CLIENT_SET_ENCODINGS message with VNC_ENCODING_CLIPBOARD_EXT for configuring the clipboard extension.

This means that qemu_clipboard_request() can be reached (via vnc_client_cut_text_ext()) before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer. In that case, info->owner->request is NULL instead of a function and so attempting to call it in qemu_clipboard_request() results in a segfault.

In particular, this can happen when using the KRDC (22.12.3) VNC client on Wayland. A malicious or misbehaving VNC client can crash QEMU - only after successful authentication.

Comment 2 Mauro Matteo Cascella 2023-12-16 17:39:54 UTC
Red Hat Product Security would like to thank Markus Frank (Proxmox) and Fiona Ebner (Proxmox) for reporting this issue.

Comment 5 Mauro Matteo Cascella 2024-01-12 18:48:54 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html

Comment 6 Mauro Matteo Cascella 2024-01-12 18:49:44 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2258118]

Comment 7 Mauro Matteo Cascella 2024-04-08 06:57:55 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a


Note You need to log in before you can comment on or make changes to this bug.