1260822 – (CVE-2015-5260) CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash

Bug 1260822 (CVE-2015-5260) - CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash

Summary: CVE-2015-5260 spice: insufficient validation of surface_id parameter can caus...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5260
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1259783 1260908 1260971 1262769 1262770 1262771 1272346
Blocks:	1260823
TreeView+	depends on / blocked

Reported:	2015-09-08 00:52 UTC by Summer Long
Modified:	2023-05-12 23:58 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
Clone Of:
Environment:
Last Closed:	2015-10-15 18:40:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1889	0	normal	SHIPPED_LIVE	Important: spice-server security update	2015-10-12 23:07:08 UTC
Red Hat Product Errata	RHSA-2015:1890	0	normal	SHIPPED_LIVE	Important: spice security update	2015-10-13 00:20:55 UTC

Description Summer Long 2015-09-08 00:52:17 UTC

surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.

Comment 1 Martin Prpič 2015-09-08 08:00:41 UTC

Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260908]

Comment 10 Martin Prpič 2015-10-06 08:26:55 UTC

Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.

Comment 11 errata-xmlrpc 2015-10-12 19:08:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html

Comment 12 errata-xmlrpc 2015-10-12 20:21:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html

Note You need to log in before you can comment on or make changes to this bug.