[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage |
Date: |
Tue, 19 Dec 2017 15:23:04 +0000 |
User-agent: |
Mutt/1.9.1 (2017-09-22) |
On Tue, Dec 19, 2017 at 09:57:59AM -0500, Marc-André Lureau wrote:
> Hi
>
> ----- Original Message -----
> > In the 2.11 release we fixed CVE-2017-15268, which allowed the VNC
> > websockets
> > server to consume arbitrary memory when a slow client was connected. I have
> > since discovered that this same type of problem can be triggered in several
> > other ways in the regular (non-websockets) VNC server. This patch series
> > attempts to fix this problem by limiting framebuffer updates and other data
> > sent from server to client. The mitigating factor is that you need to have
> > successfully authenticated with the VNC server to trigger these new flaws.
> > This new more general flaw is assigned CVE-2017-15124 by the Red Hat
> > security
> > team.
> >
> > The key patches containing the security fix are 9, 10, 11.
> >
> > Since this code is incredibly subtle & hard to understand though, the first
> > 8 patches do a bunch of independant cleanups/refactoring to make the
> > security
> > fixes clearer. The last two patches are just some extra cleanup / help for
> > future maint.
>
> I already reviewed the series privately, and in general, I'd ack it.
>
> Did you manage to run some throttle tests? (I tried to trigger them manually
> by slowing artificially network or calling framebuffer_update_request() in
> gdb, I didn't manage yet :-/)
I used two approaches. First a MITM socket server that just throttles the
rate at which is reads from QEMU. Second, I wrote an intentionally malicious
VNC client to artificially exercise the codepaths & verify they are fixed.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] [PATCH v1 07/13] ui: correctly reset framebuffer update state after processing dirty regions, (continued)
- [Qemu-devel] [PATCH v1 07/13] ui: correctly reset framebuffer update state after processing dirty regions, Daniel P. Berrange, 2017/12/18
- [Qemu-devel] [PATCH v1 10/13] ui: fix VNC client throttling when forced update is requested, Daniel P. Berrange, 2017/12/18
- [Qemu-devel] [PATCH v1 05/13] ui: track how much decoded data we consumed when doing SASL encoding, Daniel P. Berrange, 2017/12/18
- [Qemu-devel] [PATCH v1 09/13] ui: fix VNC client throttling when audio capture is active, Daniel P. Berrange, 2017/12/18
- [Qemu-devel] [PATCH v1 12/13] ui: add trace events related to VNC client throttling, Daniel P. Berrange, 2017/12/18
- [Qemu-devel] [PATCH v1 13/13] ui: mix misleading comments & return types of VNC I/O helper methods, Daniel P. Berrange, 2017/12/18
- Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage, Darren Kenny, 2017/12/19
- Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage, Marc-André Lureau, 2017/12/19
- Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage,
Daniel P. Berrange <=
- Re: [Qemu-devel] [PATCH v1 00/13] Fix VNC server unbounded memory usage, Marc-André Lureau, 2017/12/20