oss-security - Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <a53a29d0-183a-490b-561b-f2ce4033c2ba@redhat.com>
Date: Fri, 17 Aug 2018 10:03:40 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Doran Moppert <dmoppert@...hat.com>
Cc: oss-security@...ts.openwall.com, Frediano Ziglio <fziglio@...hat.com>
Subject: Re: spice CVE-2018-10873: post-auth crash or potential
 heap corruption when demarshalling

On 08/17/2018 02:51 AM, Doran Moppert wrote:
>      +        if (SPICE_UNLIKELY((start + 2) > message_end)) {
>      +            goto error;
>      +        }

These checks are still technically invalid because start + 2 is not a 
valid pointer if it points past the allocated object.

This is more problematic here:

>     +            if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
>     +                goto error;
>     +            }

If cursor_u__nw_size results in pointer wraparound, the check might fail 
incorrectly.

The commit message quotes the right pattern, nw_size > (uintptr_t) 
(message_end - start), but it is not used in the actual code AFAICS.

Thanks,
Florian

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.