spice-vdagent/Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch
Bruce Rogers 6ff184c434 Accepting request 846096 from home:bfrogers:branches:Virtualization
- Fix multiple security issues as outlined in bsc#1173749
  bsc#1177780 bsc#1177781 bsc#1177782 bsc#1177783
  CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653
  systemd-login-Avoid-a-crash-on-container.patch
  vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch
  vdagentd-Automatically-release-agent_data.patch
  vdagent-connection-Pass-err-to-g_credentials_get_uni.patch
  vdagentd-Better-check-for-vdagent_connection_get_pee.patch
  vdagentd-Avoid-calling-chmod.patch
  Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch
  Avoids-uncontrolled-active_xfers-allocations.patch
  Avoids-unlimited-agent-connections.patch
  Avoids-user-session-hijacking.patch
  Better-check-for-sessions.patch
  vdagentd-Limit-number-of-agents-per-session-to-1.patch
  cleanup-active_xfers-when-the-client-disconnects.patch
  vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch
  Add-a-test-for-session_info.patch
- Add a check section to run internal tests. Note that by default
  the added session_info test is not run, as it doesn't work in
  context of build service

OBS-URL: https://build.opensuse.org/request/show/846096
OBS-URL: https://build.opensuse.org/package/show/Virtualization/spice-vdagent?expand=0&rev=41
2020-11-05 00:50:56 +00:00

87 lines
3.3 KiB
Diff

From e4a5f60ecbb0248159bc915613359d8f45b49134 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Sat, 19 Sep 2020 15:13:42 +0100
Subject: [PATCH 02/10] Avoids unchecked file transfer IDs allocation and usage
References: bsc#1173749
Avoid agents allocating file transfers.
The "active_xfers" entries are now inserted when client start sending
files.
Also different agents cannot mess with other agent transfers as a
transfer is bound to a single agent.
This issue was reported by SUSE security team.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
src/vdagentd/vdagentd.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
index a2b74bb..f15989d 100644
--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -381,9 +381,11 @@ static void do_client_file_xfer(VirtioPort *vport,
s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0);
return;
}
- udscs_write(active_session_conn, VDAGENTD_FILE_XFER_START, 0, 0,
- data, message_header->size);
- return;
+ msg_type = VDAGENTD_FILE_XFER_START;
+ id = s->id;
+ // associate the id with the active connection
+ g_hash_table_insert(active_xfers, GUINT_TO_POINTER(id), active_session_conn);
+ break;
}
case VD_AGENT_FILE_XFER_STATUS: {
VDAgentFileXferStatusMessage *s = (VDAgentFileXferStatusMessage *)data;
@@ -408,6 +410,12 @@ static void do_client_file_xfer(VirtioPort *vport,
return;
}
udscs_write(conn, msg_type, 0, 0, data, message_header->size);
+
+ // client told that transfer is ended, agents too stop the transfer
+ // and release resources
+ if (message_header->type == VD_AGENT_FILE_XFER_STATUS) {
+ g_hash_table_remove(active_xfers, GUINT_TO_POINTER(id));
+ }
}
static void forward_data_to_session_agent(uint32_t type, uint8_t *data, size_t size)
@@ -1012,6 +1020,15 @@ static void do_agent_file_xfer_status(UdscsConnection *conn,
const gchar *log_msg = NULL;
guint data_size = 0;
+ UdscsConnection *task_conn = g_hash_table_lookup(active_xfers, task_id);
+ if (task_conn == NULL || task_conn != conn) {
+ // Protect against misbehaving agent.
+ // Ignore the message, but do not disconnect the agent, to protect against
+ // a misbehaving client that tries to disconnect a good agent
+ // e.g. by sending a new task and immediately cancelling it.
+ return;
+ }
+
/* header->arg1 = file xfer task id, header->arg2 = file xfer status */
switch (header->arg2) {
case VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE:
@@ -1026,10 +1043,9 @@ static void do_agent_file_xfer_status(UdscsConnection *conn,
send_file_xfer_status(virtio_port, log_msg, header->arg1, header->arg2,
data, data_size);
- if (header->arg2 == VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA)
- g_hash_table_insert(active_xfers, task_id, conn);
- else
+ if (header->arg2 != VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) {
g_hash_table_remove(active_xfers, task_id);
+ }
}
static void agent_read_complete(UdscsConnection *conn,
--
2.28.0