Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of spice: https://security-tracker.debian.org/tracker/CVE-2016-2150 Please find attached a debdiff of a test package I have already prepared. You can also find it in the collab-maint git repo. Would you like to upload it by yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, I will be happy to finish it. Thank you very much. Santiago R.R., on behalf of the Debian LTS team.
diff -Nru spice-0.11.0/debian/changelog spice-0.11.0/debian/changelog --- spice-0.11.0/debian/changelog 2015-10-09 16:19:14.000000000 +0200 +++ spice-0.11.0/debian/changelog 2016-06-11 10:31:54.000000000 +0200 @@ -1,3 +1,11 @@ +spice (0.11.0-1+deb7u3~pre1) wheezy-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2016-2150: Host memory access from guest using crafted primary + surface parameters (Closes: #826584) + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Wed, 08 Jun 2016 12:54:13 +0200 + spice (0.11.0-1+deb7u2) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch --- spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 2016-06-11 10:31:54.000000000 +0200 @@ -0,0 +1,117 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 29 Feb 2016 14:24:03 +0000 +Subject: [PATCH] create a function to validate surface parameters + +Make possible to reuse it outside red-parse-qxl.c + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/red_parse_qxl.c | 50 ++++++++++++++++++++++++++++++++------------------ + server/red_parse_qxl.h | 5 +++++ + 2 files changed, 37 insertions(+), 18 deletions(-) + +--- a/server/red_parse_qxl.c ++++ b/server/red_parse_qxl.c +@@ -19,7 +19,6 @@ + #include <config.h> + #endif + +-#include <stdbool.h> + #include <inttypes.h> + #include "red_common.h" + #include "red_memslots.h" +@@ -1193,13 +1192,41 @@ + return 0; + } + ++bool red_validate_surface(uint32_t width, uint32_t height, ++ int32_t stride, uint32_t format) ++{ ++ unsigned int bpp; ++ uint64_t size; ++ ++ bpp = surface_format_to_bpp(format); ++ ++ /* check if format is valid */ ++ if (!bpp) { ++ return false; ++ } ++ ++ /* check stride is larger than required bytes */ ++ size = ((uint64_t) width * bpp + 7u) / 8u; ++ /* the uint32_t conversion is here to avoid problems with -2^31 value */ ++ if (stride == G_MININT32 || size > (uint32_t) abs(stride)) { ++ return false; ++ } ++ ++ /* the multiplication can overflow, also abs(-2^31) may return a negative value */ ++ size = (uint64_t) height * abs(stride); ++ if (size > MAX_DATA_CHUNK) { ++ return false; ++ } ++ ++ return true; ++} ++ + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, + RedSurfaceCmd *red, QXLPHYSICAL addr) + { + QXLSurfaceCmd *qxl; + uint64_t size; + int error; +- unsigned int bpp; + + qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, + &error); +@@ -1218,26 +1245,13 @@ + red->u.surface_create.width = qxl->u.surface_create.width; + red->u.surface_create.height = qxl->u.surface_create.height; + red->u.surface_create.stride = qxl->u.surface_create.stride; +- bpp = surface_format_to_bpp(red->u.surface_create.format); + +- /* check if format is valid */ +- if (!bpp) { ++ if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height, ++ red->u.surface_create.stride, red->u.surface_create.format)) { + return 1; + } + +- /* check stride is larger than required bytes */ +- size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; +- /* the uint32_t conversion is here to avoid problems with -2^31 value */ +- if (red->u.surface_create.stride == G_MININT32 +- || size > (uint32_t) abs(red->u.surface_create.stride)) { +- return 1; +- } +- +- /* the multiplication can overflow, also abs(-2^31) may return a negative value */ +- size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); +- if (size > MAX_DATA_CHUNK) { +- return 1; +- } ++ size = red->u.surface_create.height * abs(red->u.surface_create.stride); + red->u.surface_create.data = + (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); + if (error) { +--- a/server/red_parse_qxl.h ++++ b/server/red_parse_qxl.h +@@ -19,6 +19,8 @@ + #ifndef RED_ABI_TRANSLATE_H + #define RED_ABI_TRANSLATE_H + ++#include <stdbool.h> ++ + #include <spice/qxl_dev.h> + #include "red_common.h" + #include "red_memslots.h" +@@ -127,6 +129,9 @@ + RedMessage *red, QXLPHYSICAL addr); + void red_put_message(RedMessage *red); + ++bool red_validate_surface(uint32_t width, uint32_t height, ++ int32_t stride, uint32_t format); ++ + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, + RedSurfaceCmd *red, QXLPHYSICAL addr); + void red_put_surface_cmd(RedSurfaceCmd *red); diff -Nru spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch --- spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 2016-06-11 10:31:54.000000000 +0200 @@ -0,0 +1,31 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 29 Feb 2016 14:34:49 +0000 +Subject: [PATCH] improve primary surface parameter checks + +Primary surface, as additional surfaces, can be used to access +host memory from the guest using invalid parameters. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/red_worker.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -10633,6 +10633,15 @@ + spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) != + abs(surface.stride) * surface.height); + ++ /* surface can arrive from guest unchecked so make sure ++ * guest is not a malicious one and drop invalid requests ++ */ ++ if (!red_validate_surface(surface.width, surface.height, ++ surface.stride, surface.format)) { ++ spice_warning("wrong primary surface creation request"); ++ return; ++ } ++ + line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem, + surface.height * abs(surface.stride), + surface.group_id, &error); diff -Nru spice-0.11.0/debian/patches/series spice-0.11.0/debian/patches/series --- spice-0.11.0/debian/patches/series 2015-10-09 16:19:14.000000000 +0200 +++ spice-0.11.0/debian/patches/series 2016-06-11 10:31:54.000000000 +0200 @@ -20,3 +20,5 @@ CVE-2015-5260_CVE-2015-5261/0017-Avoid-race-condition-copying-segments-in-red_get_pat.patch CVE-2015-5260_CVE-2015-5261/0018-Prevent-data_size-to-be-set-independently-from-data.patch CVE-2015-5260_CVE-2015-5261/0019-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch +CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch +CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch
Attachment:
signature.asc
Description: PGP signature