CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent

2 files changed, 56 insertions, 0 deletions

diff --git a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
new file mode 100644
index 000000000..487de7b24
--- /dev/null
+++ b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
@@ -0,0 +1,55 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Thu, 1 Mar 2018 14:55:26 +0000
+Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest
+ agent
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: base64
+
+V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh
+dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt
+c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh
+dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl
+IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu
+b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg
+ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0
+OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50
+IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n
+w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg==
+---
+ src/qemu/qemu_agent.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
+index 0f36054..89183c3 100644
+--- a/src/qemu/qemu_agent.c
++++ b/src/qemu/qemu_agent.c
+@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+ 
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)
++
+ /* When you are the first to uncomment this,
+  * don't forget to uncomment the corresponding
+  * part in qemuAgentIOProcessEvent as well.
+@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)
+     int ret = 0;
+ 
+     if (avail < 1024) {
++        if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {
++            virReportSystemError(ERANGE,
++                                 _("No complete agent response found in %d bytes"),
++                                 QEMU_AGENT_MAX_RESPONSE);
++            return -1;
++        }
+         if (VIR_REALLOC_N(mon->buffer,
+                           mon->bufferLength + 1024) < 0)
+             return -1;
diff --git a/debian/patches/series b/debian/patches/series
index e1c83ed77..664456fcb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ debian/apparmor_profiles_local_include.patch
 Set-defaults-for-zfs-tools.patch
 Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
+security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch