On 08/01/2016 02:01 PM, Frediano Ziglio wrote:
key and key_ext in SpiceKbdState are indexed using
state[scan & 0x7f]
where scan is a 8 bit value got from client. In theory client can send
any value causing scan & 0x7f to be 0x7f. However these arrays contains
only 0x7f values so 0x7f cause a off one overflow.
This potentially cause key_ext to overflow in reds pointer following.
Happily this is not exploitable in either 32 or 64 bit environment.
On 64 bit key_ext is followed by a 4 byte (sizeof(bool) == 4) padding
which is written by the possible overflow.
On 32 bit reds will be overwritten with either 0 or 1 which will cause
a SIGSEGV leading to a DoS. Considering that you have to have access
to the machine with a client you are just shutting down only guests you
can access to.
Ack,
Uri.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/inputs-channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index e91f7e1..8f0a206 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -60,8 +60,8 @@ struct SpiceKbdState {
bool push_ext;
/* track key press state */
- bool key[0x7f];
- bool key_ext[0x7f];
+ bool key[0x80];
+ bool key_ext[0x80];
RedsState *reds;
};
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel