1. Patchew
  2. QEMU
  3. View series

[PATCH] ui: reject extended clipboard message if not activated

Daniel P. Berrangé posted 1 patch 10 months, 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20240115095119.654271-1-berrange@redhat.com
Maintainers: Gerd Hoffmann <kraxel@redhat.com>, "Marc-André Lureau" <marcandre.lureau@redhat.com>
ui/vnc.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] ui: reject extended clipboard message if not activated
Posted by Daniel P. Berrangé 10 months, 2 weeks ago 
The extended clipboard message protocol requires that the client
activate the extension by requesting a psuedo encoding. If this
is not done, then any extended clipboard messages from the client
should be considered invalid and the client dropped.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

The need for fix was identified as part of investigation for
CVE-2023-6683. This does NOT, however, fix that CVE as it only
addresses one of the problem codepaths that can trigger that
CVE.

 ui/vnc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 4f23a0fa79..3b2c71e653 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
         }
 
         if (read_s32(data, 4) < 0) {
+            if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
+                error_report("vnc: extended clipboard message while disabled");
+                vnc_client_error(vs);
+                break;
+            }
             if (dlen < 4) {
                 error_report("vnc: malformed payload (header less than 4 bytes)"
                              " in extended clipboard pseudo-encoding.");
-- 
2.43.0
Re: [PATCH] ui: reject extended clipboard message if not activated
Posted by Michael Tokarev 10 months, 2 weeks ago 
15.01.2024 12:51, Daniel P. Berrangé wrote:
> The extended clipboard message protocol requires that the client
> activate the extension by requesting a psuedo encoding. If this
> is not done, then any extended clipboard messages from the client
> should be considered invalid and the client dropped.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> 
> The need for fix was identified as part of investigation for
> CVE-2023-6683. This does NOT, however, fix that CVE as it only
> addresses one of the problem codepaths that can trigger that
> CVE.

This might be a good pick for -stable too, in addition to the actual
CVE-2023-6683 fix (adding -stable).

/mjt
Re: [PATCH] ui: reject extended clipboard message if not activated
Posted by Daniel P. Berrangé 10 months, 2 weeks ago 
On Wed, Jan 17, 2024 at 03:10:30PM +0300, Michael Tokarev wrote:
> 15.01.2024 12:51, Daniel P. Berrangé wrote:
> > The extended clipboard message protocol requires that the client
> > activate the extension by requesting a psuedo encoding. If this
> > is not done, then any extended clipboard messages from the client
> > should be considered invalid and the client dropped.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > 
> > The need for fix was identified as part of investigation for
> > CVE-2023-6683. This does NOT, however, fix that CVE as it only
> > addresses one of the problem codepaths that can trigger that
> > CVE.
> 
> This might be a good pick for -stable too, in addition to the actual
> CVE-2023-6683 fix (adding -stable).

Agreed, both would be a good idea for stable.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Re: [PATCH] ui: reject extended clipboard message if not activated
Posted by Marc-André Lureau 10 months, 2 weeks ago 
On Mon, Jan 15, 2024 at 1:52 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> The extended clipboard message protocol requires that the client
> activate the extension by requesting a psuedo encoding. If this
> is not done, then any extended clipboard messages from the client
> should be considered invalid and the client dropped.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>
> The need for fix was identified as part of investigation for
> CVE-2023-6683. This does NOT, however, fix that CVE as it only
> addresses one of the problem codepaths that can trigger that
> CVE.
>
>  ui/vnc.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 4f23a0fa79..3b2c71e653 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2445,6 +2445,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
>          }
>
>          if (read_s32(data, 4) < 0) {
> +            if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
> +                error_report("vnc: extended clipboard message while disabled");
> +                vnc_client_error(vs);
> +                break;
> +            }
>              if (dlen < 4) {
>                  error_report("vnc: malformed payload (header less than 4 bytes)"
>                               " in extended clipboard pseudo-encoding.");
> --
> 2.43.0
>
>


-- 
Marc-André Lureau

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.