[qemu/f16] CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) virtio-blk: refuse SG_IO requests with sc
Cole Robinson
crobinso at fedoraproject.org
Tue May 29 13:47:44 UTC 2012
commit 20c0da0067c56f83fc34e5057af2ab1c89269b25
Author: Cole Robinson <crobinso at redhat.com>
Date: Tue May 29 09:47:40 2012 -0400
CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)
qemu-CVE-2012-0029.patch | 20 ++++
...o-blk_refuse_SG_IO_requests_with_scsi_off.patch | 111 ++++++++++++++++++++
qemu.spec | 12 ++-
3 files changed, 142 insertions(+), 1 deletions(-)
---
diff --git a/qemu-CVE-2012-0029.patch b/qemu-CVE-2012-0029.patch
new file mode 100644
index 0000000..d0c66b5
--- /dev/null
+++ b/qemu-CVE-2012-0029.patch
@@ -0,0 +1,20 @@
+diff -rup qemu-kvm-0.15.1/hw/e1000.c me/hw/e1000.c
+--- qemu-kvm-0.15.1/hw/e1000.c 2011-10-19 09:54:48.000000000 -0400
++++ me/hw/e1000.c 2012-05-29 09:28:15.832104874 -0400
+@@ -472,6 +472,8 @@ process_tx_desc(E1000State *s, struct e1
+ bytes = split_size;
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
++
++ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+ cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+ if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+ memmove(tp->header, tp->data, hdr);
+@@ -487,6 +489,7 @@ process_tx_desc(E1000State *s, struct e1
+ // context descriptor TSE is not set, while data descriptor TSE is set
+ DBGOUT(TXERR, "TCP segmentaion Error\n");
+ } else {
++ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+ cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+ tp->size += split_size;
+ }
diff --git a/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
new file mode 100644
index 0000000..277e740
--- /dev/null
+++ b/qemu-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
@@ -0,0 +1,111 @@
+From qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org Wed Jan 11 03:51:20 2012
+Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org>
+Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
+ by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
+ for <jmfmail at localhost>; Wed, 11 Jan 2012 03:51:20 -0600
+Delivered-To: jmforbes at linuxtx.org
+Received: from gmail-pop.l.google.com [74.125.81.108]
+ by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
+ for <jmfmail at localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
+Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
+ Wed, 11 Jan 2012 01:48:56 -0800 (PST)
+Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
+ Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
+ by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
+ (version=TLSv1/SSLv3 cipher=OTHER);
+ Wed, 11 Jan 2012 01:48:54 -0800 (PST)
+Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
+Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+Received: from localhost ([::1]:48473 helo=lists.gnu.org)
+ by lists.gnu.org with esmtp (Exim 4.71)
+ (envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org>)
+ id 1Rkund-0003iT-UQ
+ for jmforbes at linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from eggs.gnu.org ([140.186.70.92]:40037)
+ by lists.gnu.org with esmtp (Exim 4.71)
+ (envelope-from <pbonzini at redhat.com>) id 1RkunV-0003fY-Vl
+ for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
+Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
+ (envelope-from <pbonzini at redhat.com>) id 1RkunQ-0004zL-Nl
+ for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
+Received: from mx1.redhat.com ([209.132.183.28]:23781)
+ by eggs.gnu.org with esmtp (Exim 4.71)
+ (envelope-from <pbonzini at redhat.com>) id 1RkunQ-0004vY-3c
+ for qemu-stable at nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
+Received: from int-mx11.intmail.prod.int.phx2.redhat.com
+ (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
+ by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
+ (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
+ for <qemu-stable at nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
+Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
+ [10.36.112.23])
+ by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
+ id q0B9magG031084
+ for <qemu-stable at nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
+From: Paolo Bonzini <pbonzini at redhat.com>
+To: qemu-stable at nongnu.org
+Date: Wed, 11 Jan 2012 10:48:33 +0100
+Message-Id: <1326275313-15635-1-git-send-email-pbonzini at redhat.com>
+X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
+X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
+X-Received-From: 209.132.183.28
+Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
+ scsi=off
+X-BeenThere: qemu-stable at nongnu.org
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: <qemu-stable.nongnu.org>
+List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
+ <mailto:qemu-stable-request at nongnu.org?subject=unsubscribe>
+List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
+List-Post: <mailto:qemu-stable at nongnu.org>
+List-Help: <mailto:qemu-stable-request at nongnu.org?subject=help>
+List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
+ <mailto:qemu-stable-request at nongnu.org?subject=subscribe>
+Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+Sender: qemu-stable-bounces+jmforbes=linuxtx.org at nongnu.org
+X-UID: 32
+Status: RO
+Content-Length: 1003
+Lines: 38
+
+QEMU does have a "scsi" option (to be used like -device
+virtio-blk-pci,drive=foo,scsi=off). However, it only
+masks the feature bit, and does not reject the command
+if a malicious guest disregards the feature bits and
+issues a request.
+
+Without this patch, using scsi=off does not protect you
+from CVE-2011-4127.
+
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ hw/virtio-blk.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
+index b70d116..6cd3164 100644
+--- a/hw/virtio-blk.c
++++ b/hw/virtio-blk.c
+@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
+ int status;
+ int i;
+
++ if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
++ virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
++ g_free(req);
++ return;
++ }
++
+ /*
+ * We require at least one output segment each for the virtio_blk_outhdr
+ * and the SCSI command block.
+--
+1.7.7.1
+
+
+
+
+
+
diff --git a/qemu.spec b/qemu.spec
index 6224bfe..0dc6eef 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
-Release: 4%{?dist}
+Release: 5%{?dist}
# Epoch because we pushed a qemu-1.0 package
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@@ -82,6 +82,10 @@ Patch100: qemu-Allow-to-leave-type-on-default-in-machine.patch
# Upstream patches from 1.0
Patch101: 0101-usb-hub-dont_trigger_assert_on_packet_completion.patch
+# CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+Patch102: %{name}-CVE-2012-0029.patch
+# virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)
+Patch103: %{name}-virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -335,6 +339,8 @@ such as kvm_stat.
%patch100 -p1
%patch101 -p1
+%patch102 -p1
+%patch103 -p1
%build
# By default we build everything, but allow x86 to build a minimal version
@@ -715,6 +721,10 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Tue May 29 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-5
+- CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075)
+- virtio-blk: refuse SG_IO requests with scsi=off (bz 826042)
+
* Mon Jan 30 2012 Justin M. Forbes <jforbes at redhat.com> - 2:0.15.1-4
- Add vhost-net to kvm.modules
- Fix USB passthrough assert on packet completion (#769625)
More information about the scm-commits
mailing list