- avoid buffer overflow in e1000 device emulation (bnc#740165)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=49

0054-e1000-bounds-packet-size-against-buffer-size.patch

@@ -0,0 +1,37 @@
+From 2335c9428ecb8066cf354bd6f2b21998941e8518 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori@us.ibm.com>
+Date: Mon, 23 Jan 2012 07:30:43 -0600
+Subject: [PATCH 53/53] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 19ca5bf..22a601a 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.7
+

qemu.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Feb  6 22:24:27 UTC 2012 - brogers@suse.com
+
+- avoid buffer overflow in e1000 device emulation (bnc#740165)
+
 -------------------------------------------------------------------
 Mon Feb  6 19:29:33 UTC 2012 - agraf@suse.de
 

qemu.spec

@@ -15,14 +15,11 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-# norootforbuild
-
-
 Name:           qemu
 Url:            http://fabrice.bellard.free.fr/qemu/
-License:        BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+ ; MIT License (or similar)
-Group:          System/Emulators/PC
 Summary:        Universal CPU emulator
+License:        BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+ ; MIT
+Group:          System/Emulators/PC
 Version:        1.0
 Release:        0
 Source:         %name-%version.tar.bz2
@@ -79,6 +76,7 @@ Patch0050:      0050-linux-user-Add-ioctl-for-BLKBSZGET.patch
 Patch0051:      0051-linux-user-take-RESERVED_VA-into-account-for-g2h_va.patch
 Patch0052:      0052-linux-user-binfmt-support-host-binaries.patch
 Patch0053:      0053-linux-user-fix-fallocate.patch
+Patch0054:      0054-e1000-bounds-packet-size-against-buffer-size.patch
 # this is to make lint happy
 Source300:      rpmlintrc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -121,8 +119,8 @@ system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well
 as PC and PowerMac systems.
 
 %package linux-user
-Group:          System/Emulators/PC
 Summary:        Universal CPU emulator -- Linux User binaries
+Group:          System/Emulators/PC
 Provides:       qemu:%_bindir/qemu-arm
 
 %description linux-user
@@ -191,6 +189,7 @@ run cross architectures builds
 %patch0051 -p1
 %patch0052 -p1
 %patch0053 -p1
+%patch0054 -p1
 
 %build
 # build QEMU