2254825 – (CVE-2023-6683) CVE-2023-6683 QEMU: VNC: NULL pointer dereference in qemu_clipboard_request()

Bug 2254825 (CVE-2023-6683) - CVE-2023-6683 QEMU: VNC: NULL pointer dereference in qemu_clipboard_request()

Summary: CVE-2023-6683 QEMU: VNC: NULL pointer dereference in qemu_clipboard_request()

Keywords:
Status:	NEW
Alias:	CVE-2023-6683
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2258118
Blocks:	2254016
TreeView+	depends on / blocked

Reported:	2023-12-16 17:33 UTC by Mauro Matteo Cascella
Modified:	2024-04-30 09:35 UTC (History)
CC List:	13 users (show)
Fixed In Version:	qemu-kvm 9.0.0
Doc Type:	---
Doc Text:	A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2135	0	None	None	None	2024-04-30 09:35:45 UTC

Description Mauro Matteo Cascella 2023-12-16 17:33:41 UTC

It can be that a client sends a VNC_MSG_CLIENT_CUT_TEXT message before sending a VNC_MSG_CLIENT_SET_ENCODINGS message with VNC_ENCODING_CLIPBOARD_EXT for configuring the clipboard extension.

This means that qemu_clipboard_request() can be reached (via vnc_client_cut_text_ext()) before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer. In that case, info->owner->request is NULL instead of a function and so attempting to call it in qemu_clipboard_request() results in a segfault.

In particular, this can happen when using the KRDC (22.12.3) VNC client on Wayland. A malicious or misbehaving VNC client can crash QEMU - only after successful authentication.

Comment 2 Mauro Matteo Cascella 2023-12-16 17:39:54 UTC

Red Hat Product Security would like to thank Markus Frank (Proxmox) and Fiona Ebner (Proxmox) for reporting this issue.

Comment 5 Mauro Matteo Cascella 2024-01-12 18:48:54 UTC

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html

Comment 6 Mauro Matteo Cascella 2024-01-12 18:49:44 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2258118]

Comment 7 Mauro Matteo Cascella 2024-04-08 06:57:55 UTC

Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a

Comment 8 errata-xmlrpc 2024-04-30 09:35:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2135

Note You need to log in before you can comment on or make changes to this bug.