References: bsc#965269 CVE-2015-8619 Subject: hmp: fix sendkey out of bounds write (CVE-2015-8619) From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 13 09:09:58 2016 +0100 Date: Wed Feb 3 10:13:06 2016 +0100: Git: 64ffbe04eaafebf4045a3ace52a360c14959d196 When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu Signed-off-by: Wolfgang Bumiller Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hmp.c +++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hmp.c @@ -1478,21 +1478,18 @@ void hmp_send_key(Monitor *mon, const QD int has_hold_time = qdict_haskey(qdict, "hold-time"); int hold_time = qdict_get_try_int(qdict, "hold-time", -1); Error *err = NULL; - char keyname_buf[16]; char *separator; int keyname_len; while (1) { separator = strchr(keys, '-'); keyname_len = separator ? separator - keys : strlen(keys); - pstrcpy(keyname_buf, sizeof(keyname_buf), keys); /* Be compatible with old interface, convert user inputted "<" */ - if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { - pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); + if (keys[0] == '<' && keyname_len == 1) { + keys = "less"; keyname_len = 4; } - keyname_buf[keyname_len] = 0; keylist = g_malloc0(sizeof(*keylist)); keylist->value = g_malloc0(sizeof(*keylist->value)); @@ -1505,16 +1502,17 @@ void hmp_send_key(Monitor *mon, const QD } tmp = keylist; - if (strstart(keyname_buf, "0x", NULL)) { + if (strstart(keys, "0x", NULL)) { char *endp; - int value = strtoul(keyname_buf, &endp, 0); - if (*endp != '\0') { + int value = strtoul(keys, &endp, 0); + assert(endp <= keys + keyname_len); + if (endp != keys + keyname_len) { goto err_out; } keylist->value->kind = KEY_VALUE_KIND_NUMBER; keylist->value->number = value; } else { - int idx = index_from_key(keyname_buf); + int idx = index_from_key(keys, keyname_len); if (idx == Q_KEY_CODE_MAX) { goto err_out; } @@ -1536,7 +1534,7 @@ out: return; err_out: - monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); + monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); goto out; } Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/include/ui/console.h +++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/include/ui/console.h @@ -349,7 +349,7 @@ static inline int vnc_display_pw_expire( void curses_display_init(DisplayState *ds, int full_screen); /* input.c */ -int index_from_key(const char *key); +int index_from_key(const char *key, size_t key_length); /* gtk.c */ void early_gtk_display_init(void); Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c =================================================================== --- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/ui/input-legacy.c +++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/ui/input-legacy.c @@ -60,12 +60,13 @@ static QTAILQ_HEAD(, QEMUPutLEDEntry) le static QTAILQ_HEAD(, QEMUPutMouseEntry) mouse_handlers = QTAILQ_HEAD_INITIALIZER(mouse_handlers); -int index_from_key(const char *key) +int index_from_key(const char *key, size_t key_length) { int i; for (i = 0; QKeyCode_lookup[i] != NULL; i++) { - if (!strcmp(key, QKeyCode_lookup[i])) { + if (!strncmp(key, QKeyCode_lookup[i], key_length) && + !QKeyCode_lookup[i][key_length]) { break; } }