[arch-commits] Commit in spice/trunk (CVE-2019-3813.patch PKGBUILD)

Anatol Pomozov anatolik at archlinux.org
Wed Feb 6 18:13:39 UTC 2019


    Date: Wednesday, February 6, 2019 @ 18:13:38
  Author: anatolik
Revision: 345329

upgpkg: spice 0.14.0-3

Added:
  spice/trunk/CVE-2019-3813.patch
Modified:
  spice/trunk/PKGBUILD

---------------------+
 CVE-2019-3813.patch |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |   14 +++++++++++---
 2 files changed, 61 insertions(+), 3 deletions(-)

Added: CVE-2019-3813.patch
===================================================================
--- CVE-2019-3813.patch	                        (rev 0)
+++ CVE-2019-3813.patch	2019-02-06 18:13:38 UTC (rev 345329)
@@ -0,0 +1,50 @@
+commit 42f658a48b675de736317b28bcc2061508f407c3
+Author: Christophe Fergeau <cfergeau at redhat.com>
+Date:   Thu Nov 29 14:18:39 2018 +0100
+
+    memslot: Fix off-by-one error in group/slot boundary check
+    
+    RedMemSlotInfo keeps an array of groups, and each group contains an
+    array of slots. Unfortunately, these checks are off by 1, they check
+    that the index is greater or equal to the number of elements in the
+    array, while these arrays are 0 based. The check should only check for
+    strictly greater than the number of elements.
+    
+    For the group array, this is not a big issue, as these memslot groups
+    are created by spice-server users (eg QEMU), and the group ids used to
+    index that array are also generated by the spice-server user, so it
+    should not be possible for the guest to set them to arbitrary values.
+    
+    The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+    address, and such addresses are usually set by the guest QXL driver, so
+    the guest can set these to arbitrary values, including malicious values,
+    which are probably easy to build from the guest PCI configuration.
+    
+    This patch fixes the arrays bound check, and adds a test case for this.
+    This fixes CVE-2019-3813.
+    
+    Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
+    Acked-by: Frediano Ziglio <fziglio at redhat.com>
+
+diff --git a/server/memslot.c b/server/memslot.c
+index 7074b432..8c59c383 100644
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
+     MemSlot *slot;
+ 
+     *error = 0;
+-    if (group_id > info->num_memslots_groups) {
++    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         *error = 1;
+         return 0;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
++    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         *error = 1;
+ 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2019-02-06 13:23:41 UTC (rev 345328)
+++ PKGBUILD	2019-02-06 18:13:38 UTC (rev 345329)
@@ -3,7 +3,7 @@
 
 pkgname=spice
 pkgver=0.14.0
-pkgrel=2
+pkgrel=3
 pkgdesc="SPICE server"
 arch=('x86_64')
 url="https://www.spice-space.org"
@@ -11,11 +11,19 @@
 depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4)
 makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard)
 source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
-        https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign)
+        https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign
+        CVE-2019-3813.patch)
 sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848'
-            'SKIP')
+            'SKIP'
+            '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39')
 validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau (teuf) <christophe at fergeau.eu>
 
+prepare() {
+  cd spice-$pkgver
+  # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f
+  patch -p1 < ../CVE-2019-3813.patch
+}
+
 build() {
   cd spice-$pkgver
   PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --disable-werror



More information about the arch-commits mailing list