[pve-devel] [PATCH libspice-server] update spice to 0.14.3 and add patches for CVE-2020-14355

Oguz Bektas o.bektas at proxmox.com
Tue Oct 6 16:53:44 CEST 2020


the original email is in oss-security[0], patches are from upstream
gitlab. (commits linked in the email)

removed the already applied monitor patch.

[0]: https://www.openwall.com/lists/oss-security/2020/10/06/10

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
 Makefile                                      | 10 ++---
 changelog.Debian                              |  7 +++
 patches/CVE-2020-14355_1.patch                | 28 ++++++++++++
 patches/CVE-2020-14355_2.patch                | 43 +++++++++++++++++++
 patches/CVE-2020-14355_3.patch                | 30 +++++++++++++
 patches/CVE-2020-14355_4.patch                | 29 +++++++++++++
 ...ke-sure-we-have-at-least-one-monitor.patch | 33 --------------
 7 files changed, 142 insertions(+), 38 deletions(-)
 create mode 100644 patches/CVE-2020-14355_1.patch
 create mode 100644 patches/CVE-2020-14355_2.patch
 create mode 100644 patches/CVE-2020-14355_3.patch
 create mode 100644 patches/CVE-2020-14355_4.patch
 delete mode 100644 patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch

diff --git a/Makefile b/Makefile
index 01bed58..6a34c84 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,9 @@
 SOURCE=spice
 PACKAGE=libspice-server1
 
-PKGVERSION=0.14.2
-DEBVERSION=0.14.2-4
-PVERELEASE=pve6+1
+PKGVERSION=0.14.3
+DEBVERSION=0.14.3-1
+PVERELEASE=pve6
 
 VERSION := $(DEBVERSION)~$(PVERELEASE)
 
@@ -29,7 +29,7 @@ $(DEB): $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar.
 	tar xf $(SOURCE)_$(DEBVERSION).debian.tar.xz -C $(SOURCE)-$(PKGVERSION)
 	cat changelog.Debian $(PKGDIR)/debian/changelog > $(PKGDIR)/debian/changelog.tmp
 	mv $(PKGDIR)/debian/changelog.tmp $(PKGDIR)/debian/changelog
-	cd $(PKGDIR); for patch in ../patches/*.patch; do echo "applying patch '$$patch'" && patch -p1 < "$${patch}"; done
+	cd $(PKGDIR); for patch in ../patches/*.patch; do echo "applying patch '$$patch'" && patch -Np1 < "$${patch}"; done
 	cd ${PKGDIR}; dpkg-buildpackage -b -us -uc
 	lintian ${DEBS}
 
@@ -38,7 +38,7 @@ $(DEB): $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar.
 download: $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar.xz
 $(SOURCE)_$(PKGVERSION).orig.tar.bz2: $(SOURCE)_$(DEBVERSION).debian.tar.xz
 $(SOURCE)_$(DEBVERSION).debian.tar.xz:
-	dget http://deb.debian.org/debian/pool/main/s/spice/spice_0.14.2-4.dsc
+	dget http://deb.debian.org/debian/pool/main/s/spice/spice_0.14.3-1.dsc
 
 .PHONY: upload
 upload: ${DEBS}
diff --git a/changelog.Debian b/changelog.Debian
index 14c019c..d1b4489 100644
--- a/changelog.Debian
+++ b/changelog.Debian
@@ -1,3 +1,10 @@
+spice (0.14.3-1~pve6) pve; urgency=medium
+
+  [ Proxmox Support Team ]
+  * add patches for CVE-2020-14355 from oss-security
+
+ -- Proxmox Support Team <support at proxmox.com>  Tue, 06 Oct 2020 16:33:30 +0200
+
 spice (0.14.2-4~pve6+1) pve; urgency=medium
 
   [ Proxmox Support Team ]
diff --git a/patches/CVE-2020-14355_1.patch b/patches/CVE-2020-14355_1.patch
new file mode 100644
index 0000000..c76847c
--- /dev/null
+++ b/patches/CVE-2020-14355_1.patch
@@ -0,0 +1,28 @@
+commit 762e0abae36033ccde658fd52d3235887b60862d
+Author: Frediano Ziglio <freddy77 at gmail.com>
+Date:   Wed Apr 29 15:09:13 2020 +0100
+
+    quic: Check we have some data to start decoding quic image
+    
+    All paths already pass some data to quic_decode_begin but for the
+    test check it, it's not that expensive test.
+    Checking for not 0 is enough, all other words will potentially be
+    read calling more_io_words but we need one to avoid a potential
+    initial buffer overflow or deferencing an invalid pointer.
+    
+    Signed-off-by: Frediano Ziglio <freddy77 at gmail.com>
+    Acked-by: Uri Lublin <uril at redhat.com>
+
+diff --git a/subprojects/spice-common/quic.c b/subprojects/spice-common/quic.c
+index e2dee0f..bc753ca 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     int channels;
+     int bpc;
+ 
+-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+         return QUIC_ERROR;
+     }
+ 
diff --git a/patches/CVE-2020-14355_2.patch b/patches/CVE-2020-14355_2.patch
new file mode 100644
index 0000000..6926286
--- /dev/null
+++ b/patches/CVE-2020-14355_2.patch
@@ -0,0 +1,43 @@
+commit 404d74782c8b5e57d146c5bf3118bb41bf3378e4
+Author: Frediano Ziglio <freddy77 at gmail.com>
+Date:   Wed Apr 29 15:10:24 2020 +0100
+
+    quic: Check image size in quic_decode_begin
+    
+    Avoid some overflow in code due to images too big or
+    negative numbers.
+    
+    Signed-off-by: Frediano Ziglio <freddy77 at gmail.com>
+    Acked-by: Uri Lublin <uril at redhat.com>
+
+diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
+index bc753ca..6815316 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 100000000
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
+                                                     unmodified GR codewords in the code */
+@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     height = encoder->io_word;
+     decode_eat32bits(encoder);
+ 
++    if (width <= 0 || height <= 0) {
++        encoder->usr->warn(encoder->usr, "invalid size\n");
++        return QUIC_ERROR;
++    }
++
++    /* avoid too big images */
++    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++        encoder->usr->error(encoder->usr, "image too large\n");
++    }
++
+     quic_image_params(encoder, type, &channels, &bpc);
+ 
+     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
diff --git a/patches/CVE-2020-14355_3.patch b/patches/CVE-2020-14355_3.patch
new file mode 100644
index 0000000..77ea4ba
--- /dev/null
+++ b/patches/CVE-2020-14355_3.patch
@@ -0,0 +1,30 @@
+commit ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206
+Author: Frediano Ziglio <freddy77 at gmail.com>
+Date:   Wed Apr 29 15:11:38 2020 +0100
+
+    quic: Check RLE lengths
+    
+    Avoid buffer overflows decoding images. On compression we compute
+    lengths till end of line so it won't cause regressions.
+    Proved by fuzzing the code.
+    
+    Signed-off-by: Frediano Ziglio <freddy77 at gmail.com>
+    Acked-by: Uri Lublin <uril at redhat.com>
+
+diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
+index ecd6f3f..ebae992 100644
+--- a/subprojects/spice-common/common/quic_tmpl.c
++++ b/subprojects/spice-common/common/quic_tmpl.c
+@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
+ do_run:
+         state->waitcnt = stopidx - i;
+         run_index = i;
+-        run_end = i + decode_state_run(encoder, state);
++        run_end = decode_state_run(encoder, state);
++        if (run_end < 0 || run_end > (end - i)) {
++            encoder->usr->error(encoder->usr, "wrong RLE\n");
++        }
++        run_end += i;
+ 
+         for (; i < run_end; i++) {
+             UNCOMPRESS_PIX_START(&cur_row[i]);
diff --git a/patches/CVE-2020-14355_4.patch b/patches/CVE-2020-14355_4.patch
new file mode 100644
index 0000000..64b039d
--- /dev/null
+++ b/patches/CVE-2020-14355_4.patch
@@ -0,0 +1,29 @@
+commit b24fe6b66b86e601c725d30f00c37e684b6395b6
+Author: Frediano Ziglio <freddy77 at gmail.com>
+Date:   Thu Apr 30 10:19:09 2020 +0100
+
+    quic: Avoid possible buffer overflow in find_bucket
+    
+    Proved by fuzzing the code.
+    
+    Signed-off-by: Frediano Ziglio <freddy77 at gmail.com>
+    Acked-by: Uri Lublin <uril at redhat.com>
+
+diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c
+index 8a5f7d2..6cc051b 100644
+--- a/subprojects/spice-common/common/quic_family_tmpl.c
++++ b/subprojects/spice-common/common/quic_family_tmpl.c
+@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
+ {
+     spice_extra_assert(val < (0x1U << BPC));
+ 
+-    return channel->_buckets_ptrs[val];
++    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
++     * attempts. Is much faster then using comparisons and save us from such situations.
++     * Note that on normal build the check above won't be compiled as this code path
++     * is pretty hot and would cause speed regressions.
++     */
++    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME
diff --git a/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch b/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch
deleted file mode 100644
index 407e986..0000000
--- a/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 4f2d90a7849fafebc74dec608f9b4ffa9400d1a6 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio at redhat.com>
-Date: Thu, 19 Sep 2019 11:17:08 +0100
-Subject: red-qxl: Make sure we have at least one monitor
-
-It does not make sense to have a graphic card without a monitor.
-In spice_qxl_set_max_monitors we prevent to set 0 monitors, do
-the same in spice_qxl_set_device_info.
-
-This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1691721.
-
-Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
-Tested-by: Dr. David Alan Gilbert <dgilbert at redhat.com>
-Acked-by: Victor Toso <victortoso at redhat.com>
----
- server/red-qxl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/server/red-qxl.c b/server/red-qxl.c
-index 0334827..dbfcd44 100644
---- a/server/red-qxl.c
-+++ b/server/red-qxl.c
-@@ -804,7 +804,7 @@ void spice_qxl_set_device_info(QXLInstance *instance,
-     }
- 
-     instance->st->monitors_count = device_display_id_count;
--    instance->st->max_monitors = device_display_id_count;
-+    instance->st->max_monitors = MAX(1u, device_display_id_count);
- 
-     reds_send_device_display_info(red_qxl_get_server(instance->st));
- }
--- 
-cgit v1.1
-- 
2.20.1





More information about the pve-devel mailing list