1 From 136dd5ac96fc21654a31aff7fa88b86570c8fc72 Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Wed, 13 Jan 2016 08:46:31 +0100
4 Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
6 When processing 'sendkey' command, hmp_sendkey routine null
7 terminates the 'keyname_buf' array. This results in an OOB
8 write issue, if 'keyname_len' was to fall outside of
11 Since the keyname's length is known the keyname_buf can be
12 removed altogether by adding a length parameter to
13 index_from_key() and using it for the error output as well.
15 Reported-by: Ling Liu <liuling-it@360.cn>
16 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
18 hmp.c | 17 +++++++----------
19 include/ui/console.h | 2 +-
20 ui/input-legacy.c | 5 +++--
21 3 files changed, 11 insertions(+), 13 deletions(-)
23 diff --git a/hmp.c b/hmp.c
24 index c2b2c16..066ccf8 100644
27 @@ -1742,21 +1742,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
28 int has_hold_time = qdict_haskey(qdict, "hold-time");
29 int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
31 - char keyname_buf[16];
36 separator = strchr(keys, '-');
37 keyname_len = separator ? separator - keys : strlen(keys);
38 - pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
40 /* Be compatible with old interface, convert user inputted "<" */
41 - if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
42 - pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
43 + if (!strncmp(keys, "<", 1) && keyname_len == 1) {
47 - keyname_buf[keyname_len] = 0;
49 keylist = g_malloc0(sizeof(*keylist));
50 keylist->value = g_malloc0(sizeof(*keylist->value));
51 @@ -1769,16 +1766,16 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
55 - if (strstart(keyname_buf, "0x", NULL)) {
56 + if (strstart(keys, "0x", NULL)) {
58 - int value = strtoul(keyname_buf, &endp, 0);
59 - if (*endp != '\0') {
60 + int value = strtoul(keys, &endp, 0);
61 + if (*endp != '\0' && *endp != '-') {
64 keylist->value->type = KEY_VALUE_KIND_NUMBER;
65 keylist->value->u.number = value;
67 - int idx = index_from_key(keyname_buf);
68 + int idx = index_from_key(keys, keyname_len);
69 if (idx == Q_KEY_CODE_MAX) {
72 @@ -1800,7 +1797,7 @@ out:
76 - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
77 + monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
81 diff --git a/include/ui/console.h b/include/ui/console.h
82 index adac36d..116bc2b 100644
83 --- a/include/ui/console.h
84 +++ b/include/ui/console.h
85 @@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
86 void curses_display_init(DisplayState *ds, int full_screen);
89 -int index_from_key(const char *key);
90 +int index_from_key(const char *key, size_t key_length);
93 void early_gtk_display_init(int opengl);
94 diff --git a/ui/input-legacy.c b/ui/input-legacy.c
95 index 35dfc27..3454055 100644
96 --- a/ui/input-legacy.c
97 +++ b/ui/input-legacy.c
98 @@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
99 static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
100 QTAILQ_HEAD_INITIALIZER(led_handlers);
102 -int index_from_key(const char *key)
103 +int index_from_key(const char *key, size_t key_length)
107 for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
108 - if (!strcmp(key, QKeyCode_lookup[i])) {
109 + if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
110 + !QKeyCode_lookup[i][key_length]) {
projects / pve-qemu-kvm.git / blob