59 lines
2.1 KiB
Diff
59 lines
2.1 KiB
Diff
|
Fix CVE-2017-15118:
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118
|
||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1516922
|
||
|
|
||
|
Patch copied from upstream source repository:
|
||
|
|
||
|
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183
|
||
|
|
||
|
From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001
|
||
|
From: Eric Blake <eblake@redhat.com>
|
||
|
Date: Wed, 22 Nov 2017 15:07:22 -0600
|
||
|
Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name
|
||
|
|
||
|
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
|
||
|
can request export names up to 4096 bytes in length, even though
|
||
|
they should not expect success on names longer than 256. However,
|
||
|
qemu hard-codes the limit of 256, and fails to filter out a client
|
||
|
that probes for a longer name; the result is a stack smash that can
|
||
|
potentially give an attacker arbitrary control over the qemu
|
||
|
process.
|
||
|
|
||
|
The smash can be easily demonstrated with this client:
|
||
|
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
|
||
|
|
||
|
If the qemu NBD server binary (whether the standalone qemu-nbd, or
|
||
|
the builtin server of QMP nbd-server-start) was compiled with
|
||
|
-fstack-protector-strong, the ability to exploit the stack smash
|
||
|
into arbitrary execution is a lot more difficult (but still
|
||
|
theoretically possible to a determined attacker, perhaps in
|
||
|
combination with other CVEs). Still, crashing a running qemu (and
|
||
|
losing the VM) is bad enough, even if the attacker did not obtain
|
||
|
full execution control.
|
||
|
|
||
|
CC: qemu-stable@nongnu.org
|
||
|
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||
|
---
|
||
|
nbd/server.c | 4 ++++
|
||
|
1 file changed, 4 insertions(+)
|
||
|
|
||
|
diff --git a/nbd/server.c b/nbd/server.c
|
||
|
index a81801e3bc..92c0fdd03b 100644
|
||
|
--- a/nbd/server.c
|
||
|
+++ b/nbd/server.c
|
||
|
@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
|
||
|
msg = "name length is incorrect";
|
||
|
goto invalid;
|
||
|
}
|
||
|
+ if (namelen >= sizeof(name)) {
|
||
|
+ msg = "name too long for qemu";
|
||
|
+ goto invalid;
|
||
|
+ }
|
||
|
if (nbd_read(client->ioc, name, namelen, errp) < 0) {
|
||
|
return -EIO;
|
||
|
}
|
||
|
--
|
||
|
2.15.0
|
||
|
|