From: "Andreas Färber" <afaerber@suse.de>
Cc: Anthony Liguori <aliguori@us.ibm.com>,
qemu-stable@nongnu.org, Michael Tokarev <mjt@tls.msk.ru>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
Date: Thu, 02 Feb 2012 17:00:05 +0100 [thread overview]
Message-ID: <4F2AB305.7000301@suse.de> (raw)
In-Reply-To: <4F2AAAA9.1080308@msgid.tls.msk.ru>
Am 02.02.2012 16:24, schrieb Michael Tokarev:
> On 02.02.2012 15:15, Stefano Stabellini wrote:
>> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>>> Otherwise we can write beyond the buffer and corrupt memory. This is tracked
>>> as CVE-2012-0029.
>>
>> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
>> backported?
>
> This goes on since forever - for example, this patch applies to 0.12
> too (modulo pci_dma_read() changes which makes the context differ).
> It applies cleanly to 1.0 stable.
Therefore we should cc qemu-stable. :)
Andreas
>>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>>> ---
>>> hw/e1000.c | 3 +++
>>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/hw/e1000.c b/hw/e1000.c
>>> index a29c944..86c5416 100644
>>> --- a/hw/e1000.c
>>> +++ b/hw/e1000.c
>>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>> bytes = split_size;
>>> if (tp->size + bytes > msh)
>>> bytes = msh - tp->size;
>>> +
>>> + bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>>> pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>>> if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
>>> memmove(tp->header, tp->data, hdr);
>>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>> // context descriptor TSE is not set, while data descriptor TSE is set
>>> DBGOUT(TXERR, "TCP segmentaion Error\n");
>>> } else {
>>> + split_size = MIN(sizeof(tp->data) - tp->size, split_size);
>>> pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
>>> tp->size += split_size;
>>> }
>>> --
>>> 1.7.4.1
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
prev parent reply other threads:[~2012-02-02 16:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-23 13:32 [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size Anthony Liguori
2012-02-02 11:15 ` Stefano Stabellini
2012-02-02 15:24 ` Michael Tokarev
2012-02-02 16:00 ` Andreas Färber [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F2AB305.7000301@suse.de \
--to=afaerber@suse.de \
--cc=aliguori@us.ibm.com \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.