[qemu/f16] CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
Cole Robinson
crobinso at fedoraproject.org
Wed Jan 16 15:49:40 UTC 2013
commit 259bd795288570a5458b6d57f71b688fd35cc61e
Author: Cole Robinson <crobinso at redhat.com>
Date: Wed Jan 16 10:49:35 2013 -0500
CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
...iscard-oversized-packets-based-on-SBP-LPE.patch | 89 ++++++++++++++++++++
qemu.spec | 8 ++-
2 files changed, 96 insertions(+), 1 deletions(-)
---
diff --git a/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch b/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
new file mode 100644
index 0000000..c552128
--- /dev/null
+++ b/0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
@@ -0,0 +1,89 @@
+From 55c6a5611acc88b9c97fff3324fc743fafc6d0c7 Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael at inetric.com>
+Date: Sun, 2 Dec 2012 20:11:22 -0800
+Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE
+
+The e1000_receive function for the e1000 needs to discard packets longer than
+1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+this behavior and allocates memory based on this assumption.
+
+Signed-off-by: Michael Contreras <michael at inetric.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb)
+
+Signed-off-by: Michael Roth <mdroth at linux.vnet.ibm.com>
+---
+ hw/e1000.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 4d4ac32..b1d8508 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define PNPMMIO_SIZE 0x20000
+ #define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */
+
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+ * HW models:
+ * E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -795,6 +798,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+ size = sizeof(min_buf);
+ }
+
++ /* Discard oversized packets if !LPE and !SBP. */
++ if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++ return size;
++ }
++
+ if (!receive_filter(s, buf, size))
+ return size;
+
+--
+1.8.1
+From 2c0331f4f7d241995452b99afaf0aab00493334a Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael at inetric.com>
+Date: Wed, 5 Dec 2012 13:31:30 -0500
+Subject: [PATCH] e1000: Discard oversized packets based on SBP|LPE
+
+Discard packets longer than 16384 when !SBP to match the hardware behavior.
+
+Signed-off-by: Michael Contreras <michael at inetric.com>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+---
+ hw/e1000.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 92fb00a..8fd1654 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
+ /*
+ * HW models:
+@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+ }
+
+ /* Discard oversized packets if !LPE and !SBP. */
+- if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++ (size > MAXIMUM_ETHERNET_VLAN_SIZE
++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+ return size;
+ }
+--
+1.8.1
+
diff --git a/qemu.spec b/qemu.spec
index d4de9de..43f7c9f 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
-Release: 8%{?dist}
+Release: 9%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@@ -135,6 +135,8 @@ Patch242: %{name}-spice-server-threading.patch
Patch243: %{name}-fix-text-mode-screendumps.patch
# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
+# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
+Patch245: 0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -438,6 +440,7 @@ such as kvm_stat.
%patch242 -p1
%patch243 -p1
%patch244 -p1
+%patch245 -p1
%build
# By default we build everything, but allow x86 to build a minimal version
@@ -826,6 +829,9 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Wed Jan 16 2013 Cole Robinson <crobinso at redhat.com> - 2:0.15.1-9
+- CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
+
* Sun Oct 07 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-8
- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
More information about the scm-commits
mailing list