From 710dbef9a85db4572ca907e68521cfe1fbb4e4d2e767285786787b1979689b9b Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Mon, 6 Feb 2012 22:52:19 +0000 Subject: [PATCH] - avoid buffer overflow in e1000 device emulation (bnc#740165) OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=49 --- ...unds-packet-size-against-buffer-size.patch | 37 +++++++++++++++++++ qemu.changes | 5 +++ qemu.spec | 11 +++--- 3 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 0054-e1000-bounds-packet-size-against-buffer-size.patch diff --git a/0054-e1000-bounds-packet-size-against-buffer-size.patch b/0054-e1000-bounds-packet-size-against-buffer-size.patch new file mode 100644 index 00000000..c5ad40c8 --- /dev/null +++ b/0054-e1000-bounds-packet-size-against-buffer-size.patch @@ -0,0 +1,37 @@ +From 2335c9428ecb8066cf354bd6f2b21998941e8518 Mon Sep 17 00:00:00 2001 +From: Anthony Liguori +Date: Mon, 23 Jan 2012 07:30:43 -0600 +Subject: [PATCH 53/53] e1000: bounds packet size against buffer size + +Otherwise we can write beyond the buffer and corrupt memory. This is tracked +as CVE-2012-0029. + +Signed-off-by: Anthony Liguori +--- + hw/e1000.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/hw/e1000.c b/hw/e1000.c +index 19ca5bf..22a601a 100644 +--- a/hw/e1000.c ++++ b/hw/e1000.c +@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size); + tp->size += split_size; + } +-- +1.7.7 + diff --git a/qemu.changes b/qemu.changes index 5d91ca19..955761aa 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Feb 6 22:24:27 UTC 2012 - brogers@suse.com + +- avoid buffer overflow in e1000 device emulation (bnc#740165) + ------------------------------------------------------------------- Mon Feb 6 19:29:33 UTC 2012 - agraf@suse.de diff --git a/qemu.spec b/qemu.spec index 7bcfd2eb..43bbc4b7 100644 --- a/qemu.spec +++ b/qemu.spec @@ -15,14 +15,11 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - - Name: qemu Url: http://fabrice.bellard.free.fr/qemu/ -License: BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+ ; MIT License (or similar) -Group: System/Emulators/PC Summary: Universal CPU emulator +License: BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+ ; MIT +Group: System/Emulators/PC Version: 1.0 Release: 0 Source: %name-%version.tar.bz2 @@ -79,6 +76,7 @@ Patch0050: 0050-linux-user-Add-ioctl-for-BLKBSZGET.patch Patch0051: 0051-linux-user-take-RESERVED_VA-into-account-for-g2h_va.patch Patch0052: 0052-linux-user-binfmt-support-host-binaries.patch Patch0053: 0053-linux-user-fix-fallocate.patch +Patch0054: 0054-e1000-bounds-packet-size-against-buffer-size.patch # this is to make lint happy Source300: rpmlintrc BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -121,8 +119,8 @@ system. It currently emulates x86, ARM, PowerPC and SPARC CPUs as well as PC and PowerMac systems. %package linux-user -Group: System/Emulators/PC Summary: Universal CPU emulator -- Linux User binaries +Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-arm %description linux-user @@ -191,6 +189,7 @@ run cross architectures builds %patch0051 -p1 %patch0052 -p1 %patch0053 -p1 +%patch0054 -p1 %build # build QEMU