X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 82AE6DC1A6D
	for <alpine-devel@lists.alpinelinux.org>; Thu, 23 Feb 2012 14:41:10 +0000 (UTC)
Received: by wibhn14 with SMTP id hn14so1234206wib.13
        for <alpine-devel@lists.alpinelinux.org>; Thu, 23 Feb 2012 06:41:09 -0800 (PST)
Received-SPF: pass (google.com: domain of royger@gmail.com designates 10.180.99.100 as permitted sender) client-ip=10.180.99.100;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of royger@gmail.com designates 10.180.99.100 as permitted sender) smtp.mail=royger@gmail.com; dkim=pass header.i=royger@gmail.com
Received: from mr.google.com ([10.180.99.100])
        by 10.180.99.100 with SMTP id ep4mr4078288wib.7.1330008069090 (num_hops = 1);
        Thu, 23 Feb 2012 06:41:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=sender:from:to:cc:subject:date:message-id:x-mailer;
        bh=uegs1ZDaMXJCBTYk6GuAGQ2sfYitzChrlPyAE7kkLpc=;
        b=b5+PeSI2FJugA4SWJ+QbU/1FPtDA9eFtDNK6WQmnG/jQ5ZoAxec5GiGSM+n94GBB7y
         ho3zUq8Cs+GTcnevd/y6RF64t8I42ynq7yuPFCsjHnfhGpRAVdQdpGKqIz9R2tA22b6l
         K00a30rIUOqmK8BK/LHtsOtNlS8laqtKAiGLE=
Received: by 10.180.99.100 with SMTP id ep4mr3333989wib.7.1330008068976;
        Thu, 23 Feb 2012 06:41:08 -0800 (PST)
Received: from build.localdomain (tina.upc.es. [147.83.39.243])
        by mx.google.com with ESMTPS id h19sm4718731wiw.9.2012.02.23.06.41.08
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 23 Feb 2012 06:41:08 -0800 (PST)
Sender: =?UTF-8?Q?Roger_Pau_Monn=C3=A9?= <royger@gmail.com>
From: Roger Pau Monne <roger.pau@entel.upc.edu>
To: alpine-devel@lists.alpinelinux.org
Cc: Roger Pau Monne <roger.pau@entel.upc.edu>
Subject: [alpine-devel] [PATCH 2/2] main/xen: security fix CVE-2012-0029
Date: Tue, 21 Feb 2012 17:05:30 +0100
Message-Id: <1329840330-13461-1-git-send-email-roger.pau@entel.upc.edu>
X-Mailer: git-send-email 1.7.9
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>

---
 main/xen/APKBUILD    |    4 +++-
 main/xen/e1000.patch |   42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletions(-)
 create mode 100644 main/xen/e1000.patch

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index 0ec727e..d2ee0b6 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.1.2
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86 x86_64"
@@ -24,6 +24,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	pygrub_alpine.patch
 	librt.patch
 	busybox-sed.patch
+	e1000.patch
 	xencommons.initd
 	xend.initd
 	xendomains.initd"
@@ -91,6 +92,7 @@ b973dc1ffcc6872e222b36f3b7b4836b  fix_bswap_blktap2.patch
 a7500c42804abdf68e051dc667e65f93  pygrub_alpine.patch
 fa06495a175571f4aa3b6cb88937953e  librt.patch
 1bea3543ddc712330527b62fd9ff6520  busybox-sed.patch
+c31163a3cd6cf58b4e9cac0e96812d65  e1000.patch
 62b3c5a7cff38c12df2de89af5d83fa1  xencommons.initd
 b5bfc08b82bc0d21193714719a719798  xend.initd
 86e7923383a906404da321d1814657e9  xendomains.initd"
diff --git a/main/xen/e1000.patch b/main/xen/e1000.patch
new file mode 100644
index 0000000..0be6376
--- /dev/null
+++ b/main/xen/e1000.patch
@@ -0,0 +1,42 @@
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/tools/ioemu-qemu-xen/hw/e1000.c b/tools/ioemu-qemu-xen/hw/e1000.c
+index bb3689e..97104ed 100644
+--- a/tools/ioemu-qemu-xen/hw/e1000.c
++++ b/tools/ioemu-qemu-xen/hw/e1000.c
+@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.2.5
-- 
1.7.9



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---