Message ID | 20230704084210.101822-1-mcascell@redhat.com |
---|---|
State | New |
Headers | show |
Series | ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) | expand |
On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote: > A wrong exit condition may lead to an infinite loop when inflating a > valid zlib buffer containing some extra bytes in the `inflate_buffer` > function. The bug only occurs post-authentication. Return the buffer > immediately if the end of the compressed data has been reached > (Z_STREAM_END). > > Fixes: CVE-2023-3255 > Fixes: 0bf41cab ("ui/vnc: clipboard support") > Reported-by: Kevin Denis <kevin.denis@synacktiv.com> > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Note: we may want to disconnect the client when there are extra bytes in the message, or print some warnings. > --- > ui/vnc-clipboard.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c > index 8aeadfaa21..c759be3438 100644 > --- a/ui/vnc-clipboard.c > +++ b/ui/vnc-clipboard.c > @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t > in_len, uint32_t *size) > ret = inflate(&stream, Z_FINISH); > switch (ret) { > case Z_OK: > - case Z_STREAM_END: > break; > + case Z_STREAM_END: > + *size = stream.total_out; > + inflateEnd(&stream); > + return out; > case Z_BUF_ERROR: > out_len <<= 1; > if (out_len > (1 << 20)) { > @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t > in_len, uint32_t *size) > } > } > > - *size = stream.total_out; > - inflateEnd(&stream); > - > - return out; > - > err_end: > inflateEnd(&stream); > err: > -- > 2.41.0 > > >
On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau <marcandre.lureau@gmail.com> wrote: > > > > On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote: >> >> A wrong exit condition may lead to an infinite loop when inflating a >> valid zlib buffer containing some extra bytes in the `inflate_buffer` >> function. The bug only occurs post-authentication. Return the buffer >> immediately if the end of the compressed data has been reached >> (Z_STREAM_END). >> >> Fixes: CVE-2023-3255 >> Fixes: 0bf41cab ("ui/vnc: clipboard support") >> Reported-by: Kevin Denis <kevin.denis@synacktiv.com> >> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > > > Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> > Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > > Note: we may want to disconnect the client when there are extra bytes in the message, or print some warnings. Sure, I guess we can call vnc_disconnect_finish or vnc_client_error for disconnecting, not sure how to properly print warnings. Feel free to add that yourself when applying the patch. Or I can try to send v2 if you prefer. Thanks, >> >> --- >> ui/vnc-clipboard.c | 10 ++++------ >> 1 file changed, 4 insertions(+), 6 deletions(-) >> >> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c >> index 8aeadfaa21..c759be3438 100644 >> --- a/ui/vnc-clipboard.c >> +++ b/ui/vnc-clipboard.c >> @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) >> ret = inflate(&stream, Z_FINISH); >> switch (ret) { >> case Z_OK: >> - case Z_STREAM_END: >> break; >> + case Z_STREAM_END: >> + *size = stream.total_out; >> + inflateEnd(&stream); >> + return out; >> case Z_BUF_ERROR: >> out_len <<= 1; >> if (out_len > (1 << 20)) { >> @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) >> } >> } >> >> - *size = stream.total_out; >> - inflateEnd(&stream); >> - >> - return out; >> - >> err_end: >> inflateEnd(&stream); >> err: >> -- >> 2.41.0 >> >> > > > -- > Marc-André Lureau
04.07.2023 12:39, Mauro Matteo Cascella wrote: > On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau > <marcandre.lureau@gmail.com> wrote: >> >> >> >> On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote: >>> >>> A wrong exit condition may lead to an infinite loop when inflating a >>> valid zlib buffer containing some extra bytes in the `inflate_buffer` >>> function. The bug only occurs post-authentication. Return the buffer >>> immediately if the end of the compressed data has been reached >>> (Z_STREAM_END). >>> >>> Fixes: CVE-2023-3255 >>> Fixes: 0bf41cab ("ui/vnc: clipboard support") >>> Reported-by: Kevin Denis <kevin.denis@synacktiv.com> >>> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> >> >> >> Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> >> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> >> >> Note: we may want to disconnect the client when there are extra bytes in the message, or print some warnings. > > Sure, I guess we can call vnc_disconnect_finish or vnc_client_error > for disconnecting, not sure how to properly print warnings. Feel free > to add that yourself when applying the patch. Or I can try to send v2 > if you prefer. Ping, for 8.1 and -stable? Thanks, /mjt
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c index 8aeadfaa21..c759be3438 100644 --- a/ui/vnc-clipboard.c +++ b/ui/vnc-clipboard.c @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) ret = inflate(&stream, Z_FINISH); switch (ret) { case Z_OK: - case Z_STREAM_END: break; + case Z_STREAM_END: + *size = stream.total_out; + inflateEnd(&stream); + return out; case Z_BUF_ERROR: out_len <<= 1; if (out_len > (1 << 20)) { @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) } } - *size = stream.total_out; - inflateEnd(&stream); - - return out; - err_end: inflateEnd(&stream); err:
A wrong exit condition may lead to an infinite loop when inflating a valid zlib buffer containing some extra bytes in the `inflate_buffer` function. The bug only occurs post-authentication. Return the buffer immediately if the end of the compressed data has been reached (Z_STREAM_END). Fixes: CVE-2023-3255 Fixes: 0bf41cab ("ui/vnc: clipboard support") Reported-by: Kevin Denis <kevin.denis@synacktiv.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> --- ui/vnc-clipboard.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-)