aboutsummaryrefslogtreecommitdiff
path: root/nbd
diff options
context:
space:
mode:
authorEric Blake <eblake@redhat.com>2017-11-22 15:07:22 -0600
committerEric Blake <eblake@redhat.com>2017-11-28 06:58:01 -0600
commit51ae4f8455c9e32c54770c4ebc25bf86a8128183 (patch)
tree991736f0e77a9c02f82a0073910f48310e2c4d12 /nbd
parentfdad35ef6c5839d50dfc14073364ac893afebc30 (diff)
downloadqemu-51ae4f8455c9e32c54770c4ebc25bf86a8128183.zip
qemu-51ae4f8455c9e32c54770c4ebc25bf86a8128183.tar.gz
qemu-51ae4f8455c9e32c54770c4ebc25bf86a8128183.tar.bz2
nbd/server: CVE-2017-15118 Stack smash on large export name
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails to filter out a client that probes for a longer name; the result is a stack smash that can potentially give an attacker arbitrary control over the qemu process. The smash can be easily demonstrated with this client: $ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) If the qemu NBD server binary (whether the standalone qemu-nbd, or the builtin server of QMP nbd-server-start) was compiled with -fstack-protector-strong, the ability to exploit the stack smash into arbitrary execution is a lot more difficult (but still theoretically possible to a determined attacker, perhaps in combination with other CVEs). Still, crashing a running qemu (and losing the VM) is bad enough, even if the attacker did not obtain full execution control. CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'nbd')
-rw-r--r--nbd/server.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/nbd/server.c b/nbd/server.c
index a81801e..92c0fdd 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
msg = "name length is incorrect";
goto invalid;
}
+ if (namelen >= sizeof(name)) {
+ msg = "name too long for qemu";
+ goto invalid;
+ }
if (nbd_read(client->ioc, name, namelen, errp) < 0) {
return -EIO;
}