hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
This commit is contained in:
parent
c65db7705b
commit
64ffbe04ea
18
hmp.c
18
hmp.c
@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
||||
int has_hold_time = qdict_haskey(qdict, "hold-time");
|
||||
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
|
||||
Error *err = NULL;
|
||||
char keyname_buf[16];
|
||||
char *separator;
|
||||
int keyname_len;
|
||||
|
||||
while (1) {
|
||||
separator = strchr(keys, '-');
|
||||
keyname_len = separator ? separator - keys : strlen(keys);
|
||||
pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
|
||||
|
||||
/* Be compatible with old interface, convert user inputted "<" */
|
||||
if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
|
||||
pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
|
||||
if (keys[0] == '<' && keyname_len == 1) {
|
||||
keys = "less";
|
||||
keyname_len = 4;
|
||||
}
|
||||
keyname_buf[keyname_len] = 0;
|
||||
|
||||
keylist = g_malloc0(sizeof(*keylist));
|
||||
keylist->value = g_malloc0(sizeof(*keylist->value));
|
||||
@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
||||
}
|
||||
tmp = keylist;
|
||||
|
||||
if (strstart(keyname_buf, "0x", NULL)) {
|
||||
if (strstart(keys, "0x", NULL)) {
|
||||
char *endp;
|
||||
int value = strtoul(keyname_buf, &endp, 0);
|
||||
if (*endp != '\0') {
|
||||
int value = strtoul(keys, &endp, 0);
|
||||
assert(endp <= keys + keyname_len);
|
||||
if (endp != keys + keyname_len) {
|
||||
goto err_out;
|
||||
}
|
||||
keylist->value->type = KEY_VALUE_KIND_NUMBER;
|
||||
keylist->value->u.number = value;
|
||||
} else {
|
||||
int idx = index_from_key(keyname_buf);
|
||||
int idx = index_from_key(keys, keyname_len);
|
||||
if (idx == Q_KEY_CODE__MAX) {
|
||||
goto err_out;
|
||||
}
|
||||
@ -1789,7 +1787,7 @@ out:
|
||||
return;
|
||||
|
||||
err_out:
|
||||
monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
|
||||
monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
|
||||
void curses_display_init(DisplayState *ds, int full_screen);
|
||||
|
||||
/* input.c */
|
||||
int index_from_key(const char *key);
|
||||
int index_from_key(const char *key, size_t key_length);
|
||||
|
||||
/* gtk.c */
|
||||
void early_gtk_display_init(int opengl);
|
||||
|
@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
|
||||
static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
|
||||
QTAILQ_HEAD_INITIALIZER(led_handlers);
|
||||
|
||||
int index_from_key(const char *key)
|
||||
int index_from_key(const char *key, size_t key_length)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
|
||||
if (!strcmp(key, QKeyCode_lookup[i])) {
|
||||
if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
|
||||
!QKeyCode_lookup[i][key_length]) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user