[qemu/f16] CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with sc

Cole Robinson crobinso at fedoraproject.org
Tue May 29 13:47:44 UTC 2012 

commit 20c0da0067c56f83fc34e5057af2ab1c89269b25
Author: Cole Robinson <crobinso at redhat.com>
Date:   Tue May 29 09:47:40 2012 -0400

    CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
    virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)

 qemu-CVE-2012-0029.patch                           |   20 ++++
 ...o-blk_refuse_SG_IO_requests_with_scsi_off.patch |  111 ++++++++++++++++++++
 qemu.spec                                          |   12 ++-
 3 files changed, 142 insertions(+), 1 deletions(-)
---
diff --git a/qemu-CVE-2012-0029.patch b/qemu-CVE-2012-0029.patch
new file mode 100644
index 0000000..d0c66b5
--- /dev/null
+++ b/qemu-CVE-2012-0029.patch
@@ -0,0 +1,20 @@
+diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c
+--- qemu-kvm-0.15.1/hw/e1000.c	2011-10-19 09:54:48.000000000 -0400
++++ me/hw/e1000.c	2012-05-29 09:28:15.832104874 -0400
+@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
diff --git a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
new file mode 100644
index 0000000..277e740
--- /dev/null
+++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
@@ -0,0 +1,111 @@
+From qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org  Wed Jan 11 03:51:20 2012
+Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org>
+Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
+	by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
+	for <jmfmail at localhost>; Wed, 11 Jan 2012 03:51:20 -0600
+Delivered-To: jmforbes at linuxtx.org
+Received: from gmail-pop.l.google.com [74.125.81.108]
+	by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
+	for <jmfmail at localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
+Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
+        Wed, 11 Jan 2012 01:48:56 -0800 (PST)
+Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
+        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
+        by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
+        (version=TLSv1/SSLv3 cipher=OTHER);
+        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
+Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+Received: from localhost ([::1]:48473 helo=lists.gnu.org)
+	by lists.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org>)
+	id 1Rkund-0003iT-UQ
+	for jmforbes at linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from eggs.gnu.org ([140.186.70.92]:40037)
+	by lists.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <pbonzini at redhat.com>) id 1RkunV-0003fY-Vl
+	for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
+	(envelope-from <pbonzini at redhat.com>) id 1RkunQ-0004zL-Nl
+	for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
+Received: from mx1.redhat.com ([209.132.183.28]:23781)
+	by eggs.gnu.org with esmtp (Exim 4.71)
+	(envelope-from <pbonzini at redhat.com>) id 1RkunQ-0004vY-3c
+	for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
+Received: from int-mx11.intmail.prod.int.phx2.redhat.com
+	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
+	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
+	for <qemu-stable at nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
+Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
+	[10.36.112.23])
+	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
+	id q0B9magG031084
+	for <qemu-stable at nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
+From: Paolo Bonzini <pbonzini at redhat.com>
+To: qemu-stable at nongnu.org
+Date: Wed, 11 Jan 2012 10:48:33 +0100
+Message-Id: <1326275313-15635-1-git-send-email-pbonzini at redhat.com>
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
+X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
+X-Received-From: 209.132.183.28
+Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
+	scsi=off
+X-BeenThere: qemu-stable at nongnu.org
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: <qemu-stable.nongnu.org>
+List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
+	<mailto:qemu-stable-request at nongnu.org?subject=unsubscribe>
+List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
+List-Post: <mailto:qemu-stable at nongnu.org>
+List-Help: <mailto:qemu-stable-request at nongnu.org?subject=help>
+List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
+	<mailto:qemu-stable-request at nongnu.org?subject=subscribe>
+Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+Sender: qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+X-UID: 32                                                 
+Status: RO
+Content-Length: 1003
+Lines: 38
+
+QEMU does have a "scsi" option (to be used like -device
+virtio-blk-pci,drive=foo,scsi=off).  However, it only
+masks the feature bit, and does not reject the command
+if a malicious guest disregards the feature bits and
+issues a request.
+
+Without this patch, using scsi=off does not protect you
+from CVE-2011-4127.
+
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ hw/virtio-blk.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index b70d116..6cd3164 100644
+--- a/hw/virtio-blk.c
++++ b/hw/virtio-blk.c
+@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
+     int status;
+     int i;
+ 
++    if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
++        virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
++        g_free(req);
++        return;
++    }
++
+     /*
+      * We require at least one output segment each for the virtio_blk_outhdr
+      * and the SCSI command block.
+-- 
+1.7.7.1
+
+
+
+
+
+
diff --git a/qemu.spec b/qemu.spec
index 6224bfe..0dc6eef 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.15.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Epoch because we pushed a qemu-1.0 package
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -82,6 +82,10 @@ Patch100: qemu-Allow-to-leave-type-on-default-in-machine.patch
 
 # Upstream patches from 1.0
 Patch101: 0101-usb-hub-dont_trigger_assert_on_packet_completion.patch
+# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+Patch102: %{name}-CVE-2012-0029.patch
+# virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)
+Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -335,6 +339,8 @@ such as kvm_stat.
 
 %patch100 -p1
 %patch101 -p1
+%patch102 -p1
+%patch103 -p1
 
 %build
 # By default we build everything, but allow x86 to build a minimal version
@@ -715,6 +721,10 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Tue May 29 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-5
+- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+- virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)
+
 * Mon Jan 30 2012 Justin M. Forbes <jforbes at redhat.com> - 2:0.15.1-4
 - Add vhost-net to kvm.modules
 - Fix USB passthrough assert on packet completion (#769625)

More information about the scm-commits mailing list