* [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
@ 2023-07-04 8:41 Mauro Matteo Cascella
2023-07-04 9:02 ` Marc-André Lureau
0 siblings, 1 reply; 4+ messages in thread
From: Mauro Matteo Cascella @ 2023-07-04 8:41 UTC (permalink / raw)
To: qemu-devel; +Cc: mcascell, kraxel, marcandre.lureau, kevin.denis
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
ui/vnc-clipboard.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 8aeadfaa21..c759be3438 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
ret = inflate(&stream, Z_FINISH);
switch (ret) {
case Z_OK:
- case Z_STREAM_END:
break;
+ case Z_STREAM_END:
+ *size = stream.total_out;
+ inflateEnd(&stream);
+ return out;
case Z_BUF_ERROR:
out_len <<= 1;
if (out_len > (1 << 20)) {
@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
}
}
- *size = stream.total_out;
- inflateEnd(&stream);
-
- return out;
-
err_end:
inflateEnd(&stream);
err:
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
2023-07-04 8:41 [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) Mauro Matteo Cascella
@ 2023-07-04 9:02 ` Marc-André Lureau
2023-07-04 9:39 ` Mauro Matteo Cascella
0 siblings, 1 reply; 4+ messages in thread
From: Marc-André Lureau @ 2023-07-04 9:02 UTC (permalink / raw)
To: Mauro Matteo Cascella; +Cc: qemu-devel, kraxel, kevin.denis
[-- Attachment #1: Type: text/plain, Size: 1903 bytes --]
On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com>
wrote:
> A wrong exit condition may lead to an infinite loop when inflating a
> valid zlib buffer containing some extra bytes in the `inflate_buffer`
> function. The bug only occurs post-authentication. Return the buffer
> immediately if the end of the compressed data has been reached
> (Z_STREAM_END).
>
> Fixes: CVE-2023-3255
> Fixes: 0bf41cab ("ui/vnc: clipboard support")
> Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Note: we may want to disconnect the client when there are extra bytes in
the message, or print some warnings.
> ---
> ui/vnc-clipboard.c | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index 8aeadfaa21..c759be3438 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> ret = inflate(&stream, Z_FINISH);
> switch (ret) {
> case Z_OK:
> - case Z_STREAM_END:
> break;
> + case Z_STREAM_END:
> + *size = stream.total_out;
> + inflateEnd(&stream);
> + return out;
> case Z_BUF_ERROR:
> out_len <<= 1;
> if (out_len > (1 << 20)) {
> @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> }
> }
>
> - *size = stream.total_out;
> - inflateEnd(&stream);
> -
> - return out;
> -
> err_end:
> inflateEnd(&stream);
> err:
> --
> 2.41.0
>
>
>
--
Marc-André Lureau
[-- Attachment #2: Type: text/html, Size: 2990 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
2023-07-04 9:02 ` Marc-André Lureau
@ 2023-07-04 9:39 ` Mauro Matteo Cascella
2023-07-12 10:08 ` Michael Tokarev
0 siblings, 1 reply; 4+ messages in thread
From: Mauro Matteo Cascella @ 2023-07-04 9:39 UTC (permalink / raw)
To: Marc-André Lureau; +Cc: qemu-devel, kraxel, kevin.denis
On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau
<marcandre.lureau@gmail.com> wrote:
>
>
>
> On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote:
>>
>> A wrong exit condition may lead to an infinite loop when inflating a
>> valid zlib buffer containing some extra bytes in the `inflate_buffer`
>> function. The bug only occurs post-authentication. Return the buffer
>> immediately if the end of the compressed data has been reached
>> (Z_STREAM_END).
>>
>> Fixes: CVE-2023-3255
>> Fixes: 0bf41cab ("ui/vnc: clipboard support")
>> Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
>> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
>
>
> Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>
> Note: we may want to disconnect the client when there are extra bytes in the message, or print some warnings.
Sure, I guess we can call vnc_disconnect_finish or vnc_client_error
for disconnecting, not sure how to properly print warnings. Feel free
to add that yourself when applying the patch. Or I can try to send v2
if you prefer.
Thanks,
>>
>> ---
>> ui/vnc-clipboard.c | 10 ++++------
>> 1 file changed, 4 insertions(+), 6 deletions(-)
>>
>> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
>> index 8aeadfaa21..c759be3438 100644
>> --- a/ui/vnc-clipboard.c
>> +++ b/ui/vnc-clipboard.c
>> @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
>> ret = inflate(&stream, Z_FINISH);
>> switch (ret) {
>> case Z_OK:
>> - case Z_STREAM_END:
>> break;
>> + case Z_STREAM_END:
>> + *size = stream.total_out;
>> + inflateEnd(&stream);
>> + return out;
>> case Z_BUF_ERROR:
>> out_len <<= 1;
>> if (out_len > (1 << 20)) {
>> @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
>> }
>> }
>>
>> - *size = stream.total_out;
>> - inflateEnd(&stream);
>> -
>> - return out;
>> -
>> err_end:
>> inflateEnd(&stream);
>> err:
>> --
>> 2.41.0
>>
>>
>
>
> --
> Marc-André Lureau
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
2023-07-04 9:39 ` Mauro Matteo Cascella
@ 2023-07-12 10:08 ` Michael Tokarev
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2023-07-12 10:08 UTC (permalink / raw)
To: Mauro Matteo Cascella, Marc-André Lureau
Cc: qemu-devel, kraxel, kevin.denis, qemu-stable
04.07.2023 12:39, Mauro Matteo Cascella wrote:
> On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau
> <marcandre.lureau@gmail.com> wrote:
>>
>>
>>
>> On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote:
>>>
>>> A wrong exit condition may lead to an infinite loop when inflating a
>>> valid zlib buffer containing some extra bytes in the `inflate_buffer`
>>> function. The bug only occurs post-authentication. Return the buffer
>>> immediately if the end of the compressed data has been reached
>>> (Z_STREAM_END).
>>>
>>> Fixes: CVE-2023-3255
>>> Fixes: 0bf41cab ("ui/vnc: clipboard support")
>>> Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
>>> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
>>
>>
>> Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>>
>> Note: we may want to disconnect the client when there are extra bytes in the message, or print some warnings.
>
> Sure, I guess we can call vnc_disconnect_finish or vnc_client_error
> for disconnecting, not sure how to properly print warnings. Feel free
> to add that yourself when applying the patch. Or I can try to send v2
> if you prefer.
Ping, for 8.1 and -stable?
Thanks,
/mjt
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-07-12 10:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-04 8:41 [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) Mauro Matteo Cascella
2023-07-04 9:02 ` Marc-André Lureau
2023-07-04 9:39 ` Mauro Matteo Cascella
2023-07-12 10:08 ` Michael Tokarev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.