Eric Blake 51ae4f8455 nbd/server: CVE-2017-15118 Stack smash on large export name ... Introduced in commit f37708f6b8 (2.10). The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails to filter out a client that probes for a longer name; the result is a stack smash that can potentially give an attacker arbitrary control over the qemu process. The smash can be easily demonstrated with this client: $ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) If the qemu NBD server binary (whether the standalone qemu-nbd, or the builtin server of QMP nbd-server-start) was compiled with -fstack-protector-strong, the ability to exploit the stack smash into arbitrary execution is a lot more difficult (but still theoretically possible to a determined attacker, perhaps in combination with other CVEs). Still, crashing a running qemu (and losing the VM) is bad enough, even if the attacker did not obtain full execution control. CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake <eblake@redhat.com>		2017-11-28 06:58:01 -06:00
..
Makefile.objs	nbd: Split nbd.c	2016-01-15 18:58:02 +01:00
client.c	nbd/client: Don't hard-disconnect on ESHUTDOWN from server	2017-11-17 08:34:34 -06:00
common.c	nbd: Expose constants and structs for structured read	2017-10-30 21:07:21 +01:00
nbd-internal.h	nbd: Minimal structured read for client	2017-10-30 21:48:41 +01:00
server.c	nbd/server: CVE-2017-15118 Stack smash on large export name	2017-11-28 06:58:01 -06:00
trace-events	nbd/server: Fix structured read of length 0	2017-11-09 10:25:11 -06:00