[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 49/55] nbd/server: CVE-2017-15118 Stack smash on lar
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 49/55] nbd/server: CVE-2017-15118 Stack smash on large export name |
Date: |
Wed, 6 Dec 2017 13:16:42 -0600 |
From: Eric Blake <address@hidden>
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256. However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.
The smash can be easily demonstrated with this client:
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs). Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
(cherry picked from commit 51ae4f8455c9e32c54770c4ebc25bf86a8128183)
Signed-off-by: Michael Roth <address@hidden>
---
nbd/server.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/nbd/server.c b/nbd/server.c
index b93cb88911..56aed3a735 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -393,6 +393,10 @@ static int nbd_negotiate_handle_info(NBDClient *client,
uint32_t length,
msg = "name length is incorrect";
goto invalid;
}
+ if (namelen >= sizeof(name)) {
+ msg = "name too long for qemu";
+ goto invalid;
+ }
if (nbd_read(client->ioc, name, namelen, errp) < 0) {
return -EIO;
}
--
2.11.0
- [Qemu-devel] [PATCH 39/55] nbd/client: Use error_prepend() correctly, (continued)
- [Qemu-devel] [PATCH 39/55] nbd/client: Use error_prepend() correctly, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 03/55] block/mirror: check backing in bdrv_mirror_top_flush, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 41/55] virtio: Add queue interface to restore avail index from vring used index, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 47/55] virtio-net: don't touch virtqueue if vm is stopped, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 48/55] nbd/server: CVE-2017-15119 Reject options larger than 32M, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 42/55] vhost: restore avail index from vring used index on disconnection, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 44/55] spapr: reset DRCs after devices, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 46/55] block/nfs: fix nfs_client_open for filesize greater than 1TB, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 50/55] vhost: fix error check in vhost_verify_ring_mappings(), Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 43/55] hw/ppc: clear pending_events on machine reset, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 49/55] nbd/server: CVE-2017-15118 Stack smash on large export name,
Michael Roth <=
- [Qemu-devel] [PATCH 45/55] scripts/make-release: ship u-boot source as a tarball, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 04/55] kvmclock: use the updated system_timer_msr, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 52/55] nbd-client: Refuse read-only client with BDRV_O_RDWR, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 53/55] nbd/client: Don't hard-disconnect on ESHUTDOWN from server, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 51/55] nbd/server: fix nbd_negotiate_handle_info, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 54/55] vga: drop line_offset variable, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 55/55] vga: handle cirrus vbe mode wraparounds., Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 06/55] exec: Explicitly export target AS from address_space_translate_internal, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 05/55] block: Perform copy-on-read in loop, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 08/55] memory: Move FlatView allocation to a helper, Michael Roth, 2017/12/06