[PATCH spice-common 0/6] Multiple buffer overflow vulnerabilities in QUIC decoding code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Frediano Ziglio <freddy77@xxxxxxxxx>

The patches on this series are addressing CVE-2020-14355.

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding
process of the SPICE remote display system. More specifically, these flaws
reside in the spice-common shared code between the client and server of SPICE.
In other words, both the client (spice-gtk) and server are affected by these
flaws. A malicious client or server could send specially crafted messages
which could result in a process crash or potential code execution scenario.

* One issue leading to controlled writing overflow is due to the 'width *
   height' integer overflow. Using this overflow an attacker could cause small
   allocation and control the data using compressed data. Note that using the
   check for input data the attacker can avoid the crash filling the whole
   needed buffer.  ("quic: Check image size in quic_decode_begin" patch).

* Another controlled write could be achieved using the RLE decode which is
   done line by line, in theory with former lines writing more bytes in order
   to build the desired buffer content after the allocated buffer. ("quic:
   Check RLE lengths" patch).

* The "quic: Avoid possible buffer overflow in find_bucket" is a read buffer
   overflow which will dereference an invalid pointer mainly causing a crash.


* Embargo date+time: Tue, 06 Oct 2020, 12:00 hrs. UTC.

Frediano Ziglio (6):
  quic: Check we have some data to start decoding quic image
  quic: Check image size in quic_decode_begin
  quic: Check RLE lengths
  quic: Avoid possible buffer overflow in find_bucket
  test-quic: Add fuzzer capabilities to the test
  test-quic: Add test cases for quic fuzzer

 common/quic.c                          |  15 +++++++-
 common/quic_family_tmpl.c              |   7 +++-
 common/quic_tmpl.c                     |   6 ++-
 tests/fuzzer-quic-testcases/test1.quic | Bin 0 -> 4292 bytes
 tests/fuzzer-quic-testcases/test2.quic | Bin 0 -> 2808 bytes
 tests/fuzzer-quic-testcases/test3.quic | Bin 0 -> 2556 bytes
 tests/fuzzer-quic-testcases/test4.quic | Bin 0 -> 30892 bytes
 tests/test-quic.c                      |  51 ++++++++++++++++++++++++-
 8 files changed, 75 insertions(+), 4 deletions(-)
 create mode 100644 tests/fuzzer-quic-testcases/test1.quic
 create mode 100644 tests/fuzzer-quic-testcases/test2.quic
 create mode 100644 tests/fuzzer-quic-testcases/test3.quic
 create mode 100644 tests/fuzzer-quic-testcases/test4.quic

-- 
2.26.2

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux Virtualization]     [Linux Virtualization]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]