Package: spice-gtk | Debian Sources

Package: spice-gtk / 0.35-2

Metadata

Package	Version	Patches format
spice-gtk	0.35-2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 Fix flexible array buffer overflow.patch \| (download)	spice-common/python_modules/demarshal.py \| 1 1 0 - 0 ! 1 file changed, 1 insertion( )	[patch] fix flexible array buffer overflow This is kind of a DoS, possibly flexible array in the protocol causes the network size check to be ignored due to integer overflows. The size of flexible array is computed as (message_end - position), then this size is added to the number of bytes before the array and this number is used to check if we overflow initial message. An example is: message { uint32 dummy[2]; uint8 data[] @end; } LenMessage; which generated this (simplified remove useless code) code: { /* data / data__nelements = message_end - (start 8); data__nw_size = data__nelements; } nw_size = 8 data__nw_size; / Check if message fits in reported side */ if (nw_size > (uintptr_t) (message_end - start)) { return NULL; } Following code: - data__nelements == message_end - (start 8) - data__nw_size == data__nelements == message_end - (start 8) - nw_size == 8 data__nw_size == 8 message_end - (start 8) == 8 message_end - start - 8 == message_end -start - the check for overflow is (nw_size > (message_end - start)) but nw_size == message_end - start so the check is doing ((message_end - start) > (message_end - start)) which is always false. If message_end - start < 8 then data__nelements (number of element on the array above) computation generate an integer underflow that later create a buffer overflow. Add a check to make sure that the array starts before the message ends to avoid the overflow.
0002 quic Prevent side effects calling C macros.patch \| (download)	spice-common/common/quic.c \| 6 4 2 - 0 ! 1 file changed, 4 insertions( ), 2 deletions(-)	[patch] quic: prevent side effects calling c macros In some architectures GLib macros to change endianness use the argument multiple times causing possible side effects. This happens for instance using Debian SID and MIPS. This fixes https://gitlab.freedesktop.org/spice/spice-common/issues/1. Reported-by: Laurent Bigonville <[email protected]> Tested-by: Laurent Bigonville <[email protected]> Signed-off-by: Frediano Ziglio <[email protected]>

Patch

File delta

Description

0001 Fix flexible array buffer overflow.patch | (download)

spice-common/python_modules/demarshal.py | 1 1 0 - 0 !
1 file changed, 1 insertion( )

 [patch] fix flexible array buffer overflow

This is kind of a DoS, possibly flexible array in the protocol
causes the network size check to be ignored due to integer overflows.

The size of flexible array is computed as (message_end - position),
then this size is added to the number of bytes before the array and
this number is used to check if we overflow initial message.

An example is:

    message {
        uint32 dummy[2];
        uint8 data[] @end;
    } LenMessage;

which generated this (simplified remove useless code) code:

    { /* data */
        data__nelements = message_end - (start   8);

        data__nw_size = data__nelements;
    }

    nw_size = 8   data__nw_size;

    /* Check if message fits in reported side */
    if (nw_size > (uintptr_t) (message_end - start)) {
        return NULL;
    }

Following code:
- data__nelements == message_end - (start   8)
- data__nw_size == data__nelements == message_end - (start   8)
- nw_size == 8   data__nw_size == 8   message_end - (start   8) ==
  8   message_end - start - 8 == message_end -start
- the check for overflow is (nw_size > (message_end - start)) but
  nw_size == message_end - start so the check is doing
  ((message_end - start) > (message_end - start)) which is always false.

If message_end - start < 8 then data__nelements (number of element
on the array above) computation generate an integer underflow that
later create a buffer overflow.

Add a check to make sure that the array starts before the message ends
to avoid the overflow.

0002 quic Prevent side effects calling C macros.patch | (download)

spice-common/common/quic.c | 6 4 2 - 0 !
1 file changed, 4 insertions( ), 2 deletions(-)

 [patch] quic: prevent side effects calling c macros

In some architectures GLib macros to change endianness use the
argument multiple times causing possible side effects.

This happens for instance using Debian SID and MIPS.

This fixes https://gitlab.freedesktop.org/spice/spice-common/issues/1.

Reported-by: Laurent Bigonville <[email protected]>
Tested-by: Laurent Bigonville <[email protected]>
Signed-off-by: Frediano Ziglio <[email protected]>