Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage

[Daniel P. Berrange]

On Tue, Dec 19, 2017 at 09:57:59AM -0500, Marc-André Lureau wrote:
> Hi
> 
> ----- Original Message -----
> > In the 2.11 release we fixed CVE-2017-15268, which allowed the VNC 
> > websockets
> > server to consume arbitrary memory when a slow client was connected. I have
> > since discovered that this same type of problem can be triggered in several
> > other ways in the regular (non-websockets) VNC server. This patch series
> > attempts to fix this problem by limiting framebuffer updates and other data
> > sent from server to client. The mitigating factor is that you need to have
> > successfully authenticated with the VNC server to trigger these new flaws.
> > This new more general flaw is assigned CVE-2017-15124 by the Red Hat 
> > security
> > team.
> > 
> > The key patches containing the security fix are 9, 10, 11.
> > 
> > Since this code is incredibly subtle & hard to understand though, the first
> > 8 patches do a bunch of independant cleanups/refactoring to make the 
> > security
> > fixes clearer.  The last two patches are just some extra cleanup / help for
> > future maint.
> 
> I already reviewed the series privately, and in general, I'd ack it.
> 
> Did you manage to run some throttle tests? (I tried to trigger them manually
> by slowing artificially network or calling framebuffer_update_request() in
> gdb, I didn't manage yet :-/)

I used two approaches. First a MITM socket server that just throttles the
rate at which is reads from QEMU. Second, I wrote an intentionally malicious
VNC client to artificially exercise the codepaths & verify they are fixed.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|