From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:46548)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RsyWU-00039w-49
	for qemu-devel@nongnu.org; Thu, 02 Feb 2012 10:24:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RsyWT-0002rL-4M
	for qemu-devel@nongnu.org; Thu, 02 Feb 2012 10:24:30 -0500
Received: from isrv.corpit.ru ([86.62.121.231]:56362)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RsyWS-0002rH-TM
	for qemu-devel@nongnu.org; Thu, 02 Feb 2012 10:24:29 -0500
Message-ID: <4F2AAAA9.1080308@msgid.tls.msk.ru>
Date: Thu, 02 Feb 2012 19:24:25 +0400
From: Michael Tokarev <mjt@tls.msk.ru>
MIME-Version: 1.0
References: <1327325535-3177-1-git-send-email-aliguori@us.ibm.com>
	<alpine.DEB.2.00.1202021113270.3196@kaball-desktop>
In-Reply-To: <alpine.DEB.2.00.1202021113270.3196@kaball-desktop>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer
 size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 02.02.2012 15:15, Stefano Stabellini wrote:
> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>> Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
>> as CVE-2012-0029.
> 
> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
> backported?

This goes on since forever - for example, this patch applies to 0.12
too (modulo pci_dma_read() changes which makes the context differ).
It applies cleanly to 1.0 stable.

/mjt

>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>> ---
>>  hw/e1000.c |    3 +++
>>  1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/hw/e1000.c b/hw/e1000.c
>> index a29c944..86c5416 100644
>> --- a/hw/e1000.c
>> +++ b/hw/e1000.c
>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>              bytes = split_size;
>>              if (tp->size + bytes > msh)
>>                  bytes = msh - tp->size;
>> +
>> +            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>>              pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>>              if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
>>                  memmove(tp->header, tp->data, hdr);
>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>          // context descriptor TSE is not set, while data descriptor TSE is set
>>          DBGOUT(TXERR, "TCP segmentaion Error\n");
>>      } else {
>> +        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
>>          pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
>>          tp->size += split_size;
>>      }
>> -- 
>> 1.7.4.1
>>
>>
>