diff options
author | Eric Blake <eblake@redhat.com> | 2017-11-22 15:07:22 -0600 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2017-12-06 11:41:27 -0600 |
commit | 227196c1e73a77769dcbc9c3563f4ede7b908ad7 (patch) | |
tree | 20181c0f7ec6ae9487a4aa6d4836f4ea8cc253b2 | |
parent | 2ce8993512fb5e6ba4d4f62cecd159d3862a9a7e (diff) | |
download | qemu-227196c1e73a77769dcbc9c3563f4ede7b908ad7.tar.gz |
nbd/server: CVE-2017-15118 Stack smash on large export name
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256. However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.
The smash can be easily demonstrated with this client:
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs). Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 51ae4f8455c9e32c54770c4ebc25bf86a8128183)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-rw-r--r-- | nbd/server.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nbd/server.c b/nbd/server.c index b93cb88911..56aed3a735 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -393,6 +393,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, msg = "name length is incorrect"; goto invalid; } + if (namelen >= sizeof(name)) { + msg = "name too long for qemu"; + goto invalid; + } if (nbd_read(client->ioc, name, namelen, errp) < 0) { return -EIO; } |