diff options
author | Guido Günther <agx@sigxcpu.org> | 2018-03-14 11:05:41 +0100 |
---|---|---|
committer | Guido Günther <agx@sigxcpu.org> | 2018-03-14 11:05:41 +0100 |
commit | 097d74c9ae35cf2cbfcc6bf6f3b3283d2a45cb07 (patch) | |
tree | 8c8d067fab86eaaed2a6c49398b22d12746bbf81 | |
parent | e88604408e8a867c9016c2b96bc84dde6002afb5 (diff) |
CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
-rw-r--r-- | debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch | 55 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch new file mode 100644 index 000000000..487de7b24 --- /dev/null +++ b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch @@ -0,0 +1,55 @@ +From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> +Date: Thu, 1 Mar 2018 14:55:26 +0000 +Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest + agent +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: base64 + +V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh +dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt +c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh +dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl +IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu +b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg +ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0 +OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50 +IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n +w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg== +--- + src/qemu/qemu_agent.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c +index 0f36054..89183c3 100644 +--- a/src/qemu/qemu_agent.c ++++ b/src/qemu/qemu_agent.c +@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent"); + #define DEBUG_IO 0 + #define DEBUG_RAW_IO 0 + ++/* We read from QEMU until seeing a \r\n pair to indicate a ++ * completed reply or event. To avoid memory denial-of-service ++ * though, we must have a size limit on amount of data we ++ * buffer. 10 MB is large enough that it ought to cope with ++ * normal QEMU replies, and small enough that we're not ++ * consuming unreasonable mem. ++ */ ++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024) ++ + /* When you are the first to uncomment this, + * don't forget to uncomment the corresponding + * part in qemuAgentIOProcessEvent as well. +@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon) + int ret = 0; + + if (avail < 1024) { ++ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) { ++ virReportSystemError(ERANGE, ++ _("No complete agent response found in %d bytes"), ++ QEMU_AGENT_MAX_RESPONSE); ++ return -1; ++ } + if (VIR_REALLOC_N(mon->buffer, + mon->bufferLength + 1024) < 0) + return -1; diff --git a/debian/patches/series b/debian/patches/series index e1c83ed77..664456fcb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@ debian/apparmor_profiles_local_include.patch Set-defaults-for-zfs-tools.patch Pass-GPG_TTY-env-var-to-the-ssh-binary.patch apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch +security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch |