[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen stable-4.10] nbd/server: CVE-2017-15118 Stack smash on large export name



commit 227196c1e73a77769dcbc9c3563f4ede7b908ad7
Author:     Eric Blake <eblake@xxxxxxxxxx>
AuthorDate: Wed Nov 22 15:07:22 2017 -0600
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Wed Dec 6 11:41:27 2017 -0600

    nbd/server: CVE-2017-15118 Stack smash on large export name
    
    Introduced in commit f37708f6b8 (2.10).  The NBD spec says a client
    can request export names up to 4096 bytes in length, even though
    they should not expect success on names longer than 256.  However,
    qemu hard-codes the limit of 256, and fails to filter out a client
    that probes for a longer name; the result is a stack smash that can
    potentially give an attacker arbitrary control over the qemu
    process.
    
    The smash can be easily demonstrated with this client:
    $ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
    
    If the qemu NBD server binary (whether the standalone qemu-nbd, or
    the builtin server of QMP nbd-server-start) was compiled with
    -fstack-protector-strong, the ability to exploit the stack smash
    into arbitrary execution is a lot more difficult (but still
    theoretically possible to a determined attacker, perhaps in
    combination with other CVEs).  Still, crashing a running qemu (and
    losing the VM) is bad enough, even if the attacker did not obtain
    full execution control.
    
    CC: qemu-stable@xxxxxxxxxx
    Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
    (cherry picked from commit 51ae4f8455c9e32c54770c4ebc25bf86a8128183)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 nbd/server.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nbd/server.c b/nbd/server.c
index b93cb88..56aed3a 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -393,6 +393,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint32_t length,
         msg = "name length is incorrect";
         goto invalid;
     }
+    if (namelen >= sizeof(name)) {
+        msg = "name too long for qemu";
+        goto invalid;
+    }
     if (nbd_read(client->ioc, name, namelen, errp) < 0) {
         return -EIO;
     }
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#stable-4.10

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.