~alpine/devel

[alpine-devel] [PATCH 2/2] main/xen: security fix CVE-2012-0029

Roger Pau Monne <roger.pau@entel.upc.edu>
Details
Message ID
<1329840330-13461-1-git-send-email-roger.pau@entel.upc.edu>
Sender timestamp
1329840330
DKIM signature
missing
Download raw message
12 years ago
Patch: +45 -1 
---
 main/xen/APKBUILD    |    4 +++-
 main/xen/e1000.patch |   42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/e1000.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 0ec727e..d2ee0b6 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.1.2
pkgrel=4
pkgrel=5
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86 x86_64"
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
	pygrub_alpine.patch
	librt.patch
	busybox-sed.patch
	e1000.patch
	xencommons.initd
	xend.initd
	xendomains.initd"
@@ -91,6 +92,7 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
a7500c42804abdf68e051dc667e65f93  pygrub_alpine.patch
fa06495a175571f4aa3b6cb88937953e  librt.patch
1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
c31163a3cd6cf58b4e9cac0e96812d65  e1000.patch
62b3c5a7cff38c12df2de89af5d83fa1  xencommons.initd
b5bfc08b82bc0d21193714719a719798  xend.initd
86e7923383a906404da321d1814657e9  xendomains.initd"
diff --git a/main/xen/e1000.patch b/main/xen/e1000.patch
new file mode 100644
index 0000000..0be6376
--- /dev/null
+++ b/main/xen/e1000.patch
@@ -0,0 +1,42 @@
From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
 by Ian Campbell.)

Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c
index bb3689e..97104ed 100644
--- a/tools/ioemu-qemu-xen/hw/e1000.c
+++ b/tools/ioemu-qemu-xen/hw/e1000.c
@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
-- 
1.7.2.5
-- 
1.7.9



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)