From owner-svn-src-head@freebsd.org  Sat Jun 10 16:57:44 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC656BF1E1A;
 Sat, 10 Jun 2017 16:57:44 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: from mail-wr0-f176.google.com (mail-wr0-f176.google.com
 [209.85.128.176])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 577627F8B3;
 Sat, 10 Jun 2017 16:57:44 +0000 (UTC)
 (envelope-from cse.cem@gmail.com)
Received: by mail-wr0-f176.google.com with SMTP id v104so59016788wrb.0;
 Sat, 10 Jun 2017 09:57:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:reply-to:in-reply-to:references
 :from:date:message-id:subject:to:cc;
 bh=tjGoSbn3T2Z4BRv1St963vRtHvAuPANc2wEboqY39QE=;
 b=IT/iYJsDSwU3w0St58JOh9b8lymG2vCd0H/sz1LCPY0FyY0Rdnur4Ms9J+07KA3ppi
 EduPTjcy7p+C4lRFk6pahhh5Mtr7czYnyvTV+TXRYghOw8KI/VGtX8IuVWSo7JGaGg5r
 3MOtT1uban28ADAbyDW2ycCGmxqOKA+HwCf4cZbBAwnJw08IpuJvI/PZ2KyDBQe31jX4
 7Dhosz/5NJ2zHn23mermU/ZZmEBGiIT+bqHhdygasaRQj2YIn9ESYIvi8gnTpNy6IbfT
 CeQW6Xf8qvZrCx6IMdhhxzZoZKc4cKYdPZiyoNkBatHiqxOSE8MYBzVVX/+p31ZQVzFo
 M56A==
X-Gm-Message-State: AKS2vOxPEHSgy/JCpAfuTotqfEybfKrUl0kmnT+gJihyymGqjqqhJnGV
 PJde+UBsJSQRUx5v+bs=
X-Received: by 10.28.13.211 with SMTP id 202mr3171844wmn.23.1497113421491;
 Sat, 10 Jun 2017 09:50:21 -0700 (PDT)
Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com.
 [209.85.128.170])
 by smtp.gmail.com with ESMTPSA id w18sm3057025wmw.26.2017.06.10.09.50.21
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 10 Jun 2017 09:50:21 -0700 (PDT)
Received: by mail-wr0-f170.google.com with SMTP id q97so59219967wrb.2;
 Sat, 10 Jun 2017 09:50:21 -0700 (PDT)
X-Received: by 10.80.186.201 with SMTP id x67mr36995690ede.46.1497113421220;
 Sat, 10 Jun 2017 09:50:21 -0700 (PDT)
MIME-Version: 1.0
Reply-To: cem@freebsd.org
Received: by 10.80.164.154 with HTTP; Sat, 10 Jun 2017 09:50:20 -0700 (PDT)
In-Reply-To: <201706020235.v522ZGeC076100@repo.freebsd.org>
References: <201706020235.v522ZGeC076100@repo.freebsd.org>
From: Conrad Meyer <cem@freebsd.org>
Date: Sat, 10 Jun 2017 09:50:20 -0700
X-Gmail-Original-Message-ID: <CAG6CVpUohZppgV+KXNHsvhFkXvw3rtd20iGSi3P=vDAG+s6vjw@mail.gmail.com>
Message-ID: <CAG6CVpUohZppgV+KXNHsvhFkXvw3rtd20iGSi3P=vDAG+s6vjw@mail.gmail.com>
Subject: Re: svn commit: r319487 - head/usr.sbin/bhyve
To: Marcelo Araujo <araujo@freebsd.org>
Cc: src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, 
 svn-src-head@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2017 16:57:44 -0000

Hi,

Additionally, one more issue pointed out by Coverity below :-).

On Thu, Jun 1, 2017 at 7:35 PM, Marcelo Araujo <araujo@freebsd.org> wrote:
> Author: araujo
> Date: Fri Jun  2 02:35:16 2017
> New Revision: 319487
> URL: https://svnweb.freebsd.org/changeset/base/319487
>
> Log:
>   Add VNC Authentication support based on RFC6143 section 7.2.2.
>
> ...
> Modified: head/usr.sbin/bhyve/rfb.c
> ==============================================================================
> --- head/usr.sbin/bhyve/rfb.c   Fri Jun  2 01:00:40 2017        (r319486)
> +++ head/usr.sbin/bhyve/rfb.c   Fri Jun  2 02:35:16 2017        (r319487)
> ...
> @@ -739,8 +754,19 @@ rfb_handle(struct rfb_softc *rc, int cfd)
>  {
>         const char *vbuf = "RFB 003.008\n";
>         unsigned char buf[80];
> +       unsigned char *message;

Message is uninitialized.

> +
> +#ifndef NO_OPENSSL
> +       unsigned char challenge[AUTH_LENGTH];
> +       unsigned char keystr[PASSWD_LENGTH];
> +       unsigned char crypt_expected[AUTH_LENGTH];
> +
> +       DES_key_schedule ks;
> +       int i;
> +#endif
> +
>         pthread_t tid;
> -        uint32_t sres;
> +       uint32_t sres;

sres is also uninitialized.

>         int len;
>
>         rc->cfd = cfd;
> @@ -751,19 +777,91 @@ rfb_handle(struct rfb_softc *rc, int cfd)
>         /* 1b. Read client version */
>         len = read(cfd, buf, sizeof(buf));
>
> -       /* 2a. Send security type 'none' */
> +       /* 2a. Send security type */
>         buf[0] = 1;
> -       buf[1] = 1; /* none */
> +#ifndef NO_OPENSSL
> +       if (rc->password)
> +               buf[1] = SECURITY_TYPE_VNC_AUTH;
> +       else
> +               buf[1] = SECURITY_TYPE_NONE;
> +#else
> +       buf[1] = SECURITY_TYPE_NONE;
> +#endif
> +
>         stream_write(cfd, buf, 2);
>
> -
>         /* 2b. Read agreed security type */
>         len = stream_read(cfd, buf, 1);

A malicious server negotiation could respond in ways that break later
assumptions:

1. Respond to NONE with VNC_AUTH.  In this case rc->password will be
NULL and strncpy() below will cause a SIGSEGV.
2. Respond to VNC_AUTH with a bogus value.  In this case, neither sres
nor message is ever initialized.

> ...
> +       /* 2d. Write back a status */
>         stream_write(cfd, &sres, 4);

Bogus sres could be used here.

>
> +       if (sres) {
> +               *((uint32_t *) buf) = htonl(strlen(message));

Bogus message could be dereferenced here, resulting in SIGSEGV.

Additionally, aliasing char array buf via a uint32_t pointer is
invalid C.  I'd suggest instead:

be32enc(buf, strlen(message));

> +               stream_write(cfd, buf, 4);
> +                stream_write(cfd, message, strlen(message));
> +               goto done;
> +       }
> +
>         /* 3a. Read client shared-flag byte */
>         len = stream_read(cfd, buf, 1);
>
> ...

Best,
Conrad