[qemu/f16] CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)

Cole Robinson crobinso at fedoraproject.org
Wed Jan 16 15:49:40 UTC 2013 

commit 259bd795288570a5458b6d57f71b688fd35cc61e
Author: Cole Robinson <crobinso at redhat.com>
Date:   Wed Jan 16 10:49:35 2013 -0500

    CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)

 ...iscard-oversized-packets-based-on-SBP-LPE.patch |   89 ++++++++++++++++++++
 qemu.spec                                          |    8 ++-
 2 files changed, 96 insertions(+), 1 deletions(-)
---
diff --git a/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch b/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
new file mode 100644
index 0000000..c552128
--- /dev/null
+++ b/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
@@ -0,0 +1,89 @@
+From 55c6a5611acc88b9c97fff3324fc743fafc6d0c7 Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael at inetric.com>
+Date: Sun, 2 Dec 2012 20:11:22 -0800
+Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE
+
+The e1000_receive function for the e1000 needs to discard packets longer than
+1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+this behavior and allocates memory based on this assumption.
+
+Signed-off-by: Michael Contreras <michael at inetric.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb)
+
+Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
+---
+ hw/e1000.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 4d4ac32..b1d8508 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define PNPMMIO_SIZE      0x20000
+ #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
+ 
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+  * HW models:
+  *  E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -795,6 +798,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+         size = sizeof(min_buf);
+     }
+ 
++    /* Discard oversized packets if !LPE and !SBP. */
++    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++        return size;
++    }
++
+     if (!receive_filter(s, buf, size))
+         return size;
+ 
+-- 
+1.8.1
+From 2c0331f4f7d241995452b99afaf0aab00493334a Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael at inetric.com>
+Date: Wed, 5 Dec 2012 13:31:30 -0500
+Subject: [PATCH] e1000: Discard oversized packets based on SBP|LPE
+
+Discard packets longer than 16384 when !SBP to match the hardware behavior.
+
+Signed-off-by: Michael Contreras <michael at inetric.com>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+---
+ hw/e1000.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 92fb00a..8fd1654 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         return size;
+     }
+-- 
+1.8.1
+
diff --git a/qemu.spec b/qemu.spec
index d4de9de..43f7c9f 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.15.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -135,6 +135,8 @@ Patch242: %{name}-spice-server-threading.patch
 Patch243: %{name}-fix-text-mode-screendumps.patch
 # CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
 Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
+# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
+Patch245: 0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -438,6 +440,7 @@ such as kvm_stat.
 %patch242 -p1
 %patch243 -p1
 %patch244 -p1
+%patch245 -p1
 
 %build
 # By default we build everything, but allow x86 to build a minimal version
@@ -826,6 +829,9 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Wed Jan 16 2013 Cole Robinson <crobinso at redhat.com> - 2:0.15.1-9
+- CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
+
 * Sun Oct 07 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-8
 - CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)

More information about the scm-commits mailing list