For discussion of Alpine Linux development and developer support

[alpine-devel] [PATCH 2/2] main/xen: security fix CVE-2012-0029

Roger Pau Monne
Details
Message ID
<1329840330-13461-1-git-send-email-roger.pau@entel.upc.edu>
Sender timestamp
1329840330
DKIM signature
missing
Download raw message
Patch: +45 -1
---
 main/xen/APKBUILD    |    4 +++-
 main/xen/e1000.patch |   42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/e1000.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 0ec727e..d2ee0b6 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.1.2
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	pygrub_alpine.patch
 	librt.patch
 	busybox-sed.patch
+	e1000.patch
 	xencommons.initd
 	xend.initd
 	xendomains.initd"
@@ -91,6 +92,7 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
 a7500c42804abdf68e051dc667e65f93  pygrub_alpine.patch
 fa06495a175571f4aa3b6cb88937953e  librt.patch
 1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
+c31163a3cd6cf58b4e9cac0e96812d65  e1000.patch
 62b3c5a7cff38c12df2de89af5d83fa1  xencommons.initd
 b5bfc08b82bc0d21193714719a719798  xend.initd
 86e7923383a906404da321d1814657e9  xendomains.initd"
diff --git a/main/xen/e1000.patch b/main/xen/e1000.patch
new file mode 100644
index 0000000..0be6376
--- /dev/null
+++ b/main/xen/e1000.patch
@@ -0,0 +1,42 @@
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c
+index bb3689e..97104ed 100644
+--- a/tools/ioemu-qemu-xen/hw/e1000.c
+@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.2.5
-- 
1.7.9



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---