[pve-qemu.git] / debian / patches / extra / 0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 9 Oct 2017 14:43:42 +0100
Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource

The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.

This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.

This issue is assigned CVE-2017-15268, publically reported in

  https://bugs.launchpad.net/qemu/+bug/1718964

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 io/channel-websock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/io/channel-websock.c b/io/channel-websock.c
index 8fabadea2f..882bbb4cbc 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
 #include "trace.h"
 
 
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
 #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
 
 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
 
-- 
2.11.0
Commit	Line	Data
3dcc8d3b	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c53dfb57 WB	2	From: "Daniel P. Berrange" <berrange@redhat.com>
c53dfb57 WB	3	Date: Mon, 9 Oct 2017 14:43:42 +0100
3dcc8d3b	4	Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
c53dfb57 WB	5
	6	The websocket GSource is monitoring the size of the rawoutput
	7	buffer to determine if the channel can accepts more writes.
	8	The rawoutput buffer, however, is merely a temporary staging
	9	buffer before data is copied into the encoutput buffer. Thus
	10	its size will always be zero when the GSource runs.
	11
	12	This flaw causes the encoutput buffer to grow without bound
	13	if the other end of the underlying data channel doesn't
	14	read data being sent. This can be seen with VNC if a client
	15	is on a slow WAN link and the guest OS is sending many screen
	16	updates. A malicious VNC client can act like it is on a slow
	17	link by playing a video in the guest and then reading data
	18	very slowly, causing QEMU host memory to expand arbitrarily.
	19
	20	This issue is assigned CVE-2017-15268, publically reported in
	21
	22	https://bugs.launchpad.net/qemu/+bug/1718964
	23
	24	Reviewed-by: Eric Blake <eblake@redhat.com>
	25	Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
	26	---
	27	io/channel-websock.c \| 4 ++--
	28	1 file changed, 2 insertions(+), 2 deletions(-)
	29
	30	diff --git a/io/channel-websock.c b/io/channel-websock.c
	31	index 8fabadea2f..882bbb4cbc 100644
	32	--- a/io/channel-websock.c
	33	+++ b/io/channel-websock.c
	34	@@ -26,7 +26,7 @@
	35	#include "trace.h"
	36
	37
	38	-/* Max amount to allow in rawinput/rawoutput buffers */
	39	+/* Max amount to allow in rawinput/encoutput buffers */
	40	#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
	41
	42	#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
	43	@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
	44	if (wsource->wioc->rawinput.offset) {
	45	cond \|= G_IO_IN;
	46	}
	47	- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
	48	+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
	49	cond \|= G_IO_OUT;
	50	}
	51
	52	--
	53	2.11.0
	54