From nobody Mon Apr 29 23:22:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1508251120711190.09103398243428; Tue, 17 Oct 2017 07:38:40 -0700 (PDT) Received: from localhost ([::1]:39869 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e4T0s-0000cy-Va for importer@patchew.org; Tue, 17 Oct 2017 10:38:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37018) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e4SzY-0008Sh-UB for qemu-devel@nongnu.org; Tue, 17 Oct 2017 10:37:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e4SzQ-0004Oo-It for qemu-devel@nongnu.org; Tue, 17 Oct 2017 10:37:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59752) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e4SzQ-0004O7-CK; Tue, 17 Oct 2017 10:37:04 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CBCB781E09; Tue, 17 Oct 2017 14:37:01 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.97]) by smtp.corp.redhat.com (Postfix) with ESMTP id B5B3164448; Tue, 17 Oct 2017 14:37:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com CBCB781E09 Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=berrange@redhat.com From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Tue, 17 Oct 2017 15:36:55 +0100 Message-Id: <20171017143655.31277-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 17 Oct 2017 14:37:01 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for 2.10] io: monitor encoutput buffer size from websocket GSource X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The websocket GSource is monitoring the size of the rawoutput buffer to determine if the channel can accepts more writes. The rawoutput buffer, however, is merely a temporary staging buffer before data is copied into the encoutput buffer. Thus its size will always be zero when the GSource runs. This flaw causes the encoutput buffer to grow without bound if the other end of the underlying data channel doesn't read data being sent. This can be seen with VNC if a client is on a slow WAN link and the guest OS is sending many screen updates. A malicious VNC client can act like it is on a slow link by playing a video in the guest and then reading data very slowly, causing QEMU host memory to expand arbitrarily. This issue is assigned CVE-2017-15268, publically reported in https://bugs.launchpad.net/qemu/+bug/1718964 (cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493) Reviewed-by: Eric Blake [Dan: Added extra checks to deal with code refactored in master but not stable 2.10] Signed-off-by: Daniel P. Berrange --- io/channel-websock.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/io/channel-websock.c b/io/channel-websock.c index 5a3badbec2..19116dc148 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -26,7 +26,7 @@ #include "trace.h" =20 =20 -/* Max amount to allow in rawinput/rawoutput buffers */ +/* Max amount to allow in rawinput/encoutput buffers */ #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 =20 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 @@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source, if (wsource->wioc->rawinput.offset) { cond |=3D G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |=3D G_IO_OUT; } =20 @@ -1022,7 +1022,7 @@ qio_channel_websock_source_check(GSource *source) if (wsource->wioc->rawinput.offset) { cond |=3D G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |=3D G_IO_OUT; } =20 @@ -1041,7 +1041,7 @@ qio_channel_websock_source_dispatch(GSource *source, if (wsource->wioc->rawinput.offset) { cond |=3D G_IO_IN; } - if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { cond |=3D G_IO_OUT; } =20 --=20 2.13.6