[pve-qemu-kvm.git] / debian / patches / old / CVE-2015-8619-hmp-sendkey-oob-fix.patch

From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 11 Jan 2016 08:21:25 +0100
Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)

When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.

Now checking the length against the buffer size before using
it.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 hmp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hmp.c b/hmp.c
index c2b2c16..0c7a04c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
     while (1) {
         separator = strchr(keys, '-');
         keyname_len = separator ? separator - keys : strlen(keys);
+        if (keyname_len >= sizeof(keyname_buf))
+            goto err_out;
         pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
 
         /* Be compatible with old interface, convert user inputted "<" */
@@ -1800,7 +1802,7 @@ out:
     return;
 
 err_out:
-    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
+    monitor_printf(mon, "invalid parameter: %s\n", keys);
     goto out;
 }
 
-- 
2.1.4
Commit	Line	Data
259e9b41 WB	1	From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001
	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Mon, 11 Jan 2016 08:21:25 +0100
	4	Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
	5
	6	When processing 'sendkey' command, hmp_sendkey routine null
	7	terminates the 'keyname_buf' array. This results in an OOB
	8	write issue, if 'keyname_len' was to fall outside of
	9	'keyname_buf' array.
	10
	11	Now checking the length against the buffer size before using
	12	it.
	13
	14	Reported-by: Ling Liu <liuling-it@360.cn>
	15	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	16	---
	17	hmp.c \| 4 +++-
	18	1 file changed, 3 insertions(+), 1 deletion(-)
	19
	20	diff --git a/hmp.c b/hmp.c
	21	index c2b2c16..0c7a04c 100644
	22	--- a/hmp.c
	23	+++ b/hmp.c
	24	@@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor mon, const QDict qdict)
	25	while (1) {
	26	separator = strchr(keys, '-');
	27	keyname_len = separator ? separator - keys : strlen(keys);
	28	+ if (keyname_len >= sizeof(keyname_buf))
	29	+ goto err_out;
	30	pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
	31
	32	/* Be compatible with old interface, convert user inputted "<" */
	33	@@ -1800,7 +1802,7 @@ out:
	34	return;
	35
	36	err_out:
	37	- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
	38	+ monitor_printf(mon, "invalid parameter: %s\n", keys);
	39	goto out;
	40	}
	41
	42	--
	43	2.1.4
	44