From: P J P <ppandit@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: "Fermín J. Serna" <fjserna@gmail.com>,
"Daniel P . Berrange" <berrange@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Michael Roth" <mdroth@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH v2] qga: check length of command-line & environment variables
Date: Thu, 23 May 2019 13:23:36 +0530 (IST) [thread overview]
Message-ID: <nycvar.YSQ.7.76.1905231257400.23354@xnncv> (raw)
In-Reply-To: <CAJ+F1CLXdw4gE45vVEpStKrKsu-OYy1+5caC9wUduEtQRhjrpA@mail.gmail.com>
+-- On Wed, 22 May 2019, Marc-André Lureau wrote --+
| On Sun, May 19, 2019 at 10:55 AM P J P <ppandit@redhat.com> wrote:
| > Qemu guest agent while executing user commands does not seem to
| > check length of argument list and/or environment variables passed.
| > It may lead to integer overflow or infinite loop issues. Add check
| > to avoid it.
|
| Are you intentionally not telling where these overflow or loop happen?
|
| Isn't the kernel already giving an error if given too much
| environment/arguments on exec?
Kernel would report error; But integer overflow would occur while computing
'str_size' in a loop below, if count++ wraps around due to long list of
arguments (or a loop) in 'strList *entry'. Negative 'count' would allocate
large memory for 'args'
args = g_malloc(count * sizeof(char *));
We don't have a reproducer. It does seem remote/unlikely, considering
guest-agent is to be used by trusted parties to manage a guest.
| > int count = 1, i = 0; /* reserve for NULL terminator */
| > + size_t str_size = 1, arg_max;
| >
| > + arg_max = ga_get_arg_max();
| > for (it = entry; it != NULL; it = it->next) {
| > count++;
| > str_size += 1 + strlen(it->value);
| > + if (str_size >= arg_max || count >= arg_max / 2) {
| > + break;
|
| This seems to silently drop remaining arguments, which is probably not
| what you want.
Umnm, report an error and return?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
next prev parent reply other threads:[~2019-05-23 7:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-19 8:48 [Qemu-devel] [PATCH v2] qga: check length of command-line & environment variables P J P
2019-05-20 18:22 ` Daniel Henrique Barboza
2019-05-22 13:34 ` Marc-André Lureau
2019-05-23 7:53 ` P J P [this message]
2019-05-23 12:05 ` Marc-André Lureau
2019-05-29 9:38 ` P J P
2019-05-29 11:47 ` Marc-André Lureau
2019-05-29 14:35 ` P J P
2019-05-29 14:44 ` Marc-André Lureau
2019-05-29 17:40 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YSQ.7.76.1905231257400.23354@xnncv \
--to=ppandit@redhat.com \
--cc=berrange@redhat.com \
--cc=fjserna@gmail.com \
--cc=marcandre.lureau@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.