debian/patches/CVE-2015-8619-hmp-sendkey-oob-fix.patch

   1 From 8da4a3bf8fb076314f986a0d58cb94f5458e3659 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Mon, 11 Jan 2016 08:21:25 +0100
   4 Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
   5
   6 When processing 'sendkey' command, hmp_sendkey routine null
   7 terminates the 'keyname_buf' array. This results in an OOB
   8 write issue, if 'keyname_len' was to fall outside of
   9 'keyname_buf' array.
  10
  11 Now checking the length against the buffer size before using
  12 it.
  13
  14 Reported-by: Ling Liu <liuling-it@360.cn>
  15 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  16 ---
  17  hmp.c | 4 +++-
  18  1 file changed, 3 insertions(+), 1 deletion(-)
  19
  20 diff --git a/hmp.c b/hmp.c
  21 index c2b2c16..0c7a04c 100644
  22 --- a/hmp.c
  23 +++ b/hmp.c
  24 @@ -1749,6 +1749,8 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
  25      while (1) {
  26          separator = strchr(keys, '-');
  27          keyname_len = separator ? separator - keys : strlen(keys);
  28 +        if (keyname_len >= sizeof(keyname_buf))
  29 +            goto err_out;
  30          pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
  31
  32          /* Be compatible with old interface, convert user inputted "<" */
  33 @@ -1800,7 +1802,7 @@ out:
  34      return;
  35
  36  err_out:
  37 -    monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
  38 +    monitor_printf(mon, "invalid parameter: %s\n", keys);
  39      goto out;
  40  }
  41
  42 --
  43 2.1.4
  44