summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch')
-rw-r--r--app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch b/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch
new file mode 100644
index 00000000000..8005e063f0d
--- /dev/null
+++ b/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Mon, 29 Feb 2016 14:34:49 +0000
+Subject: [PATCH] improve primary surface parameter checks
+
+Primary surface, as additional surfaces, can be used to access
+host memory from the guest using invalid parameters.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/red_worker.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/server/red_worker.c b/server/red_worker.c
+index a7eaab9..f9179a6 100644
+--- a/server/red_worker.c
++++ b/server/red_worker.c
+@@ -11380,6 +11380,15 @@ static void dev_create_primary_surface(RedWorker *worker, uint32_t surface_id,
+ spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) !=
+ abs(surface.stride) * surface.height);
+
++ /* surface can arrive from guest unchecked so make sure
++ * guest is not a malicious one and drop invalid requests
++ */
++ if (!red_validate_surface(surface.width, surface.height,
++ surface.stride, surface.format)) {
++ spice_warning("wrong primary surface creation request");
++ return;
++ }
++
+ line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem,
+ surface.height * abs(surface.stride),
+ surface.group_id, &error);