Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of spice: https://security-tracker.debian.org/tracker/CVE-2016-2150 Please find attached a debdiff of a test package I have already prepared. You can also find it in the collab-maint git repo. Would you like to upload it by yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, I will be happy to finish it. Thank you very much. Santiago R.R., on behalf of the Debian LTS team.
diff -Nru spice-0.11.0/debian/changelog spice-0.11.0/debian/changelog
--- spice-0.11.0/debian/changelog 2015-10-09 16:19:14.000000000 +0200
+++ spice-0.11.0/debian/changelog 2016-06-11 10:31:54.000000000 +0200
@@ -1,3 +1,11 @@
+spice (0.11.0-1+deb7u3~pre1) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2016-2150: Host memory access from guest using crafted primary
+ surface parameters (Closes: #826584)
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Wed, 08 Jun 2016 12:54:13 +0200
+
spice (0.11.0-1+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch
--- spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-0.11.0/debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch 2016-06-11 10:31:54.000000000 +0200
@@ -0,0 +1,117 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 29 Feb 2016 14:24:03 +0000
+Subject: [PATCH] create a function to validate surface parameters
+
+Make possible to reuse it outside red-parse-qxl.c
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/red_parse_qxl.c | 50 ++++++++++++++++++++++++++++++++------------------
+ server/red_parse_qxl.h | 5 +++++
+ 2 files changed, 37 insertions(+), 18 deletions(-)
+
+--- a/server/red_parse_qxl.c
++++ b/server/red_parse_qxl.c
+@@ -19,7 +19,6 @@
+ #include <config.h>
+ #endif
+
+-#include <stdbool.h>
+ #include <inttypes.h>
+ #include "red_common.h"
+ #include "red_memslots.h"
+@@ -1193,13 +1192,41 @@
+ return 0;
+ }
+
++bool red_validate_surface(uint32_t width, uint32_t height,
++ int32_t stride, uint32_t format)
++{
++ unsigned int bpp;
++ uint64_t size;
++
++ bpp = surface_format_to_bpp(format);
++
++ /* check if format is valid */
++ if (!bpp) {
++ return false;
++ }
++
++ /* check stride is larger than required bytes */
++ size = ((uint64_t) width * bpp + 7u) / 8u;
++ /* the uint32_t conversion is here to avoid problems with -2^31 value */
++ if (stride == G_MININT32 || size > (uint32_t) abs(stride)) {
++ return false;
++ }
++
++ /* the multiplication can overflow, also abs(-2^31) may return a negative value */
++ size = (uint64_t) height * abs(stride);
++ if (size > MAX_DATA_CHUNK) {
++ return false;
++ }
++
++ return true;
++}
++
+ int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
+ RedSurfaceCmd *red, QXLPHYSICAL addr)
+ {
+ QXLSurfaceCmd *qxl;
+ uint64_t size;
+ int error;
+- unsigned int bpp;
+
+ qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id,
+ &error);
+@@ -1218,26 +1245,13 @@
+ red->u.surface_create.width = qxl->u.surface_create.width;
+ red->u.surface_create.height = qxl->u.surface_create.height;
+ red->u.surface_create.stride = qxl->u.surface_create.stride;
+- bpp = surface_format_to_bpp(red->u.surface_create.format);
+
+- /* check if format is valid */
+- if (!bpp) {
++ if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height,
++ red->u.surface_create.stride, red->u.surface_create.format)) {
+ return 1;
+ }
+
+- /* check stride is larger than required bytes */
+- size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u;
+- /* the uint32_t conversion is here to avoid problems with -2^31 value */
+- if (red->u.surface_create.stride == G_MININT32
+- || size > (uint32_t) abs(red->u.surface_create.stride)) {
+- return 1;
+- }
+-
+- /* the multiplication can overflow, also abs(-2^31) may return a negative value */
+- size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride);
+- if (size > MAX_DATA_CHUNK) {
+- return 1;
+- }
++ size = red->u.surface_create.height * abs(red->u.surface_create.stride);
+ red->u.surface_create.data =
+ (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);
+ if (error) {
+--- a/server/red_parse_qxl.h
++++ b/server/red_parse_qxl.h
+@@ -19,6 +19,8 @@
+ #ifndef RED_ABI_TRANSLATE_H
+ #define RED_ABI_TRANSLATE_H
+
++#include <stdbool.h>
++
+ #include <spice/qxl_dev.h>
+ #include "red_common.h"
+ #include "red_memslots.h"
+@@ -127,6 +129,9 @@
+ RedMessage *red, QXLPHYSICAL addr);
+ void red_put_message(RedMessage *red);
+
++bool red_validate_surface(uint32_t width, uint32_t height,
++ int32_t stride, uint32_t format);
++
+ int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
+ RedSurfaceCmd *red, QXLPHYSICAL addr);
+ void red_put_surface_cmd(RedSurfaceCmd *red);
diff -Nru spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch
--- spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-0.11.0/debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch 2016-06-11 10:31:54.000000000 +0200
@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 29 Feb 2016 14:34:49 +0000
+Subject: [PATCH] improve primary surface parameter checks
+
+Primary surface, as additional surfaces, can be used to access
+host memory from the guest using invalid parameters.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/red_worker.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/server/red_worker.c
++++ b/server/red_worker.c
+@@ -10633,6 +10633,15 @@
+ spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) !=
+ abs(surface.stride) * surface.height);
+
++ /* surface can arrive from guest unchecked so make sure
++ * guest is not a malicious one and drop invalid requests
++ */
++ if (!red_validate_surface(surface.width, surface.height,
++ surface.stride, surface.format)) {
++ spice_warning("wrong primary surface creation request");
++ return;
++ }
++
+ line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem,
+ surface.height * abs(surface.stride),
+ surface.group_id, &error);
diff -Nru spice-0.11.0/debian/patches/series spice-0.11.0/debian/patches/series
--- spice-0.11.0/debian/patches/series 2015-10-09 16:19:14.000000000 +0200
+++ spice-0.11.0/debian/patches/series 2016-06-11 10:31:54.000000000 +0200
@@ -20,3 +20,5 @@
CVE-2015-5260_CVE-2015-5261/0017-Avoid-race-condition-copying-segments-in-red_get_pat.patch
CVE-2015-5260_CVE-2015-5261/0018-Prevent-data_size-to-be-set-independently-from-data.patch
CVE-2015-5260_CVE-2015-5261/0019-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch
+CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch
+CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch
Attachment:
signature.asc
Description: PGP signature