[Pkg-libvirt-commits] [libvirt] 05/09: CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor

[Guido Guenther]

This is an automated email from the git hooks/post-receive script.

agx pushed a commit to annotated tag debian/4.0.0_rc2-1
in repository libvirt.

commit 7406ae5f751def19241b6a7050d47b0c1fd05c06
Author: Guido Günther <agx at sigxcpu.org>
Date:   Fri Jan 19 09:39:42 2018 +0100

    CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
    
    Closes: #887700
---
 ...l-of-service-reading-from-QEMU-monitor-CV.patch | 49 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 50 insertions(+)

diff --git a/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
new file mode 100644
index 0000000..0fefb3e
--- /dev/null
+++ b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
@@ -0,0 +1,49 @@
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Tue, 16 Jan 2018 17:00:11 +0000
+Subject: qemu: avoid denial of service reading from QEMU monitor
+ (CVE-2018-5748)
+
+We read from QEMU until seeing a \r\n pair to indicate a completed reply
+or event. To avoid memory denial-of-service though, we must have a size
+limit on amount of data we buffer. 10 MB is large enough that it ought
+to cope with normal QEMU replies, and small enough that we're not
+consuming unreasonable mem.
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+---
+ src/qemu/qemu_monitor.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
+index 046caf0..85c7d68 100644
+--- a/src/qemu/qemu_monitor.c
++++ b/src/qemu/qemu_monitor.c
+@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
+ #define DEBUG_IO 0
+ #define DEBUG_RAW_IO 0
+ 
++/* We read from QEMU until seeing a \r\n pair to indicate a
++ * completed reply or event. To avoid memory denial-of-service
++ * though, we must have a size limit on amount of data we
++ * buffer. 10 MB is large enough that it ought to cope with
++ * normal QEMU replies, and small enough that we're not
++ * consuming unreasonable mem.
++ */
++#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
++
+ struct _qemuMonitor {
+     virObjectLockable parent;
+ 
+@@ -575,6 +584,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
+     int ret = 0;
+ 
+     if (avail < 1024) {
++        if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
++            virReportSystemError(ERANGE,
++                                 _("No complete monitor response found in %d bytes"),
++                                 QEMU_MONITOR_MAX_RESPONSE);
++            return -1;
++        }
+         if (VIR_REALLOC_N(mon->buffer,
+                           mon->bufferLength + 1024) < 0)
+             return -1;
diff --git a/debian/patches/series b/debian/patches/series
index b2cea98..29cd189 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
 apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
 Allow-libvirt-to-kill-unconfined-domains.patch
 apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch
+qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git