[qemu] Add vPMU support and fix for CVE-2012-0029.
Justin M. Forbes
jforbes at fedoraproject.org
Tue Jan 24 22:26:01 UTC 2012
commit 4d9bbd115e9e5892ef24807524ca4c767f0e75e6
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Tue Jan 24 16:25:49 2012 -0600
Add vPMU support and fix for CVE-2012-0029.
...00-bounds-packet-size-against-buffer-size.patch | 37 ++++++++++++++++++++
enable_architectural_PMU_cpuid_leaf.patch | 37 ++++++++++++++++++++
qemu.spec | 15 +++++++-
3 files changed, 87 insertions(+), 2 deletions(-)
---
diff --git a/0026-e1000-bounds-packet-size-against-buffer-size.patch b/0026-e1000-bounds-packet-size-against-buffer-size.patch
new file mode 100644
index 0000000..bd2bdc7
--- /dev/null
+++ b/0026-e1000-bounds-packet-size-against-buffer-size.patch
@@ -0,0 +1,37 @@
+From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001
+From: Anthony Liguori <aliguori at us.ibm.com>
+Date: Mon, 23 Jan 2012 07:30:43 -0600
+Subject: [PATCH 26/26] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory. This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+---
+ hw/e1000.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 986ed9c..e164d79 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ bytes = split_size;
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
++
++ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+ pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
+ if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+ memmove(tp->header, tp->data, hdr);
+@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+ // context descriptor TSE is not set, while data descriptor TSE is set
+ DBGOUT(TXERR, "TCP segmentaion Error\n");
+ } else {
++ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+ pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
+ tp->size += split_size;
+ }
+--
+1.7.7.6
+
diff --git a/enable_architectural_PMU_cpuid_leaf.patch b/enable_architectural_PMU_cpuid_leaf.patch
new file mode 100644
index 0000000..f0a7415
--- /dev/null
+++ b/enable_architectural_PMU_cpuid_leaf.patch
@@ -0,0 +1,37 @@
+commit a0fa82085e175bf8ce6d69a3f83695f81af2a649
+Author: Gleb Natapov <gleb at redhat.com>
+Date: Thu Dec 15 12:44:05 2011 +0200
+
+ enable architectural PMU cpuid leaf for kvm
+
+ Signed-off-by: Gleb Natapov <gleb at redhat.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
+
+diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
+index 0b3af90..91a104b 100644
+--- a/target-i386/cpuid.c
++++ b/target-i386/cpuid.c
+@@ -1180,10 +1180,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ break;
+ case 0xA:
+ /* Architectural Performance Monitoring Leaf */
+- *eax = 0;
+- *ebx = 0;
+- *ecx = 0;
+- *edx = 0;
++ if (kvm_enabled()) {
++ KVMState *s = env->kvm_state;
++
++ *eax = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EAX);
++ *ebx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EBX);
++ *ecx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_ECX);
++ *edx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EDX);
++ } else {
++ *eax = 0;
++ *ebx = 0;
++ *ecx = 0;
++ *edx = 0;
++ }
+ break;
+ case 0xD:
+ /* Processor Extended State */
diff --git a/qemu.spec b/qemu.spec
index c9d4686..62e8d03 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.0
-Release: 2%{?dist}
+Release: 3%{?dist}
# Epoch because we pushed a qemu-1.0 package
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@@ -64,7 +64,8 @@ Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
-Patch26: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
+Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch
+Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
# USB Redirect patches should go upstream soon!
Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch
@@ -89,6 +90,9 @@ Patch118: 0118-char-Disable-write-callback-if-throttled-chardev-is-.patch
# General bug fixes
Patch201: Fix_save-restore_of_in-kernel_i8259.patch
+# Feature patches, should be in 1.1 before release
+Patch301: enable_architectural_PMU_cpuid_leaf.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
BuildRequires: libaio-devel
@@ -333,6 +337,7 @@ such as kvm_stat.
%patch24 -p1
%patch25 -p1
%patch26 -p1
+%patch27 -p1
%patch101 -p1
%patch102 -p1
@@ -355,6 +360,8 @@ such as kvm_stat.
%patch201 -p1
+%patch301 -p1
+
%build
# By default we build everything, but allow x86 to build a minimal version
# with only similar arch target support
@@ -733,6 +740,10 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Tue Jan 24 2012 Justin M. Forbes <jforbes at redhat.com> - 2:1.0-3
+- Add support for vPMU
+- e1000: bounds packet size against buffer size CVE-2012-0029
+
* Fri Jan 13 2012 Justin M. Forbes <jforbes at redhat.com> - 2:1.0-2
- Add patches for USB redirect bits
- Remove palcode-clipper, we don't build it
More information about the scm-commits
mailing list