xen/CVE-2012-6075-xsa41.patch

Subject: e1000: Discard packets that are too long if !SBP and !LPE
From: Michael Contreras michael@inetric.com Sun Dec 2 20:11:22 2012 -0800
Date: Wed Jan 16 14:12:40 2013 +0000:
Git: b4e9b8169dedc0bcf0d3abe07642f761ac70aeea

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Subject: e1000: Discard oversized packets based on SBP|LPE
From: Michael Contreras <michael@inetric.com>
Date: Wed, 5 Dec 2012 18:31:30 +0000 (-0500)

e1000: Discard oversized packets based on SBP|LPE

Discard packets longer than 16384 when !SBP to match the hardware behavior.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

[ This is a security vulnerability, CVE-2012-6075 / XSA-41. ]
(cherry picked from commit 4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf)

Index: xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.2.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -55,6 +55,11 @@ static int debugflags = DBGBIT(TXERR) |
 #define REG_IOADDR 0x0
 #define REG_IODATA 0x4
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+/* this is the size past which hardware will drop packets when setting LPE=1 */
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -628,6 +633,14 @@ e1000_receive(void *opaque, const uint8_
         return;
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
+        (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return;
+    }
+
     if (!receive_filter(s, buf, size))
         return;
 
Index: xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c
===================================================================
--- xen-4.2.1-testing.orig/tools/qemu-xen-dir-remote/hw/e1000.c
+++ xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c
@@ -59,6 +59,11 @@ static int debugflags = DBGBIT(TXERR) |
 #define PNPMMIO_SIZE      0x20000
 #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+/* this is the size past which hardware will drop packets when setting LPE=1 */
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -693,6 +698,14 @@ e1000_receive(VLANClientState *nc, const
         size = sizeof(min_buf);
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
+        (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return size;
- bnc#797285 - VUL-0: Xen: XSA-34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash CVE-2013-0151-xsa34.patch - bnc#797287 - VUL-0: Xen: XSA-35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest CVE-2013-0152-xsa35.patch - bnc#793717 - NetWare will not boot on Xen 4.2 xnloader.py domUloader.py pygrub-netware-xnloader.patch Removed reverse-24757-use-grant-references.patch - bnc#797523 - VUL-1: CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions CVE-2012-6075-xsa41.patch - Mask the floating point exceptions for guests like NetWare on machines that support XSAVE. x86-fpu-context-conditional.patch - fate##313584: pass bios information to XEN HVM guest 26341-hvm-firmware-passthrough.patch 26342-hvm-firmware-passthrough.patch 26343-hvm-firmware-passthrough.patch 26344-hvm-firmware-passthrough.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=223 2013-01-22 15:40:06 +00:00			`Subject: e1000: Discard packets that are too long if !SBP and !LPE`
			`From: Michael Contreras michael@inetric.com Sun Dec 2 20:11:22 2012 -0800`
			`Date: Wed Jan 16 14:12:40 2013 +0000:`
			`Git: b4e9b8169dedc0bcf0d3abe07642f761ac70aeea`

			`The e1000_receive function for the e1000 needs to discard packets longer than`
			`1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes`
			`this behavior and allocates memory based on this assumption.`

			`Signed-off-by: Michael Contreras <michael@inetric.com>`
			`Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>`

			`Subject: e1000: Discard oversized packets based on SBP\|LPE`
			`From: Michael Contreras <michael@inetric.com>`
			`Date: Wed, 5 Dec 2012 18:31:30 +0000 (-0500)`

			`e1000: Discard oversized packets based on SBP\|LPE`

			`Discard packets longer than 16384 when !SBP to match the hardware behavior.`

			`Signed-off-by: Michael Contreras <michael@inetric.com>`
			`Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>`

			`[ This is a security vulnerability, CVE-2012-6075 / XSA-41. ]`
			`(cherry picked from commit 4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf)`

			`Index: xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`===================================================================`
			`--- xen-4.2.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`+++ xen-4.2.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`@@ -55,6 +55,11 @@ static int debugflags = DBGBIT(TXERR) \|`
			`#define REG_IOADDR 0x0`
			`#define REG_IODATA 0x4`

			`+/* this is the size past which hardware will drop packets when setting LPE=0 */`
			`+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522`
			`+/* this is the size past which hardware will drop packets when setting LPE=1 */`
			`+#define MAXIMUM_ETHERNET_LPE_SIZE 16384`
			`+`
			`/*`
			`* HW models:`
			`* E1000_DEV_ID_82540EM works with Windows and Linux`
			`@@ -628,6 +633,14 @@ e1000_receive(void *opaque, const uint8_`
			`return;`
			`}`

			`+ /* Discard oversized packets if !LPE and !SBP. */`
			`+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE \|\|`
			`+ (size > MAXIMUM_ETHERNET_VLAN_SIZE`
			`+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))`
			`+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {`
			`+ return;`
			`+ }`
			`+`
			`if (!receive_filter(s, buf, size))`
			`return;`

			`Index: xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c`
			`===================================================================`
			`--- xen-4.2.1-testing.orig/tools/qemu-xen-dir-remote/hw/e1000.c`
			`+++ xen-4.2.1-testing/tools/qemu-xen-dir-remote/hw/e1000.c`
			`@@ -59,6 +59,11 @@ static int debugflags = DBGBIT(TXERR) \|`
			`#define PNPMMIO_SIZE 0x20000`
			`#define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */`

			`+/* this is the size past which hardware will drop packets when setting LPE=0 */`
			`+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522`
			`+/* this is the size past which hardware will drop packets when setting LPE=1 */`
			`+#define MAXIMUM_ETHERNET_LPE_SIZE 16384`
			`+`
			`/*`
			`* HW models:`
			`* E1000_DEV_ID_82540EM works with Windows and Linux`
			`@@ -693,6 +698,14 @@ e1000_receive(VLANClientState *nc, const`
			`size = sizeof(min_buf);`
			`}`

			`+ /* Discard oversized packets if !LPE and !SBP. */`
			`+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE \|\|`
			`+ (size > MAXIMUM_ETHERNET_VLAN_SIZE`
			`+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))`
			`+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {`
			`+ return size;`
			`+ }`
			`+`
			`if (!receive_filter(s, buf, size))`
			`return size;`