* [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
@ 2012-01-23 13:32 Anthony Liguori
2012-02-02 11:15 ` Stefano Stabellini
0 siblings, 1 reply; 4+ messages in thread
From: Anthony Liguori @ 2012-01-23 13:32 UTC (permalink / raw)
To: qemu-devel; +Cc: Anthony Liguori
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
hw/e1000.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index a29c944..86c5416 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
bytes = split_size;
if (tp->size + bytes > msh)
bytes = msh - tp->size;
+
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
memmove(tp->header, tp->data, hdr);
@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");
} else {
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
tp->size += split_size;
}
--
1.7.4.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
2012-01-23 13:32 [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size Anthony Liguori
@ 2012-02-02 11:15 ` Stefano Stabellini
2012-02-02 15:24 ` Michael Tokarev
0 siblings, 1 reply; 4+ messages in thread
From: Stefano Stabellini @ 2012-02-02 11:15 UTC (permalink / raw)
To: Anthony Liguori; +Cc: qemu-devel@nongnu.org
On Mon, 23 Jan 2012, Anthony Liguori wrote:
> Otherwise we can write beyond the buffer and corrupt memory. This is tracked
> as CVE-2012-0029.
The stable-1.0 branch looks vulnerable too, shouldn't this patch be
backported?
> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
> ---
> hw/e1000.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/hw/e1000.c b/hw/e1000.c
> index a29c944..86c5416 100644
> --- a/hw/e1000.c
> +++ b/hw/e1000.c
> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
> bytes = split_size;
> if (tp->size + bytes > msh)
> bytes = msh - tp->size;
> +
> + bytes = MIN(sizeof(tp->data) - tp->size, bytes);
> pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
> if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
> memmove(tp->header, tp->data, hdr);
> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
> // context descriptor TSE is not set, while data descriptor TSE is set
> DBGOUT(TXERR, "TCP segmentaion Error\n");
> } else {
> + split_size = MIN(sizeof(tp->data) - tp->size, split_size);
> pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
> tp->size += split_size;
> }
> --
> 1.7.4.1
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
2012-02-02 11:15 ` Stefano Stabellini
@ 2012-02-02 15:24 ` Michael Tokarev
2012-02-02 16:00 ` Andreas Färber
0 siblings, 1 reply; 4+ messages in thread
From: Michael Tokarev @ 2012-02-02 15:24 UTC (permalink / raw)
To: Stefano Stabellini; +Cc: Anthony Liguori, qemu-devel@nongnu.org
On 02.02.2012 15:15, Stefano Stabellini wrote:
> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>> Otherwise we can write beyond the buffer and corrupt memory. This is tracked
>> as CVE-2012-0029.
>
> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
> backported?
This goes on since forever - for example, this patch applies to 0.12
too (modulo pci_dma_read() changes which makes the context differ).
It applies cleanly to 1.0 stable.
/mjt
>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>> ---
>> hw/e1000.c | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/hw/e1000.c b/hw/e1000.c
>> index a29c944..86c5416 100644
>> --- a/hw/e1000.c
>> +++ b/hw/e1000.c
>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>> bytes = split_size;
>> if (tp->size + bytes > msh)
>> bytes = msh - tp->size;
>> +
>> + bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>> pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>> if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
>> memmove(tp->header, tp->data, hdr);
>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>> // context descriptor TSE is not set, while data descriptor TSE is set
>> DBGOUT(TXERR, "TCP segmentaion Error\n");
>> } else {
>> + split_size = MIN(sizeof(tp->data) - tp->size, split_size);
>> pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
>> tp->size += split_size;
>> }
>> --
>> 1.7.4.1
>>
>>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size
2012-02-02 15:24 ` Michael Tokarev
@ 2012-02-02 16:00 ` Andreas Färber
0 siblings, 0 replies; 4+ messages in thread
From: Andreas Färber @ 2012-02-02 16:00 UTC (permalink / raw)
Cc: Anthony Liguori, qemu-stable, Michael Tokarev,
qemu-devel@nongnu.org, Stefano Stabellini
Am 02.02.2012 16:24, schrieb Michael Tokarev:
> On 02.02.2012 15:15, Stefano Stabellini wrote:
>> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>>> Otherwise we can write beyond the buffer and corrupt memory. This is tracked
>>> as CVE-2012-0029.
>>
>> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
>> backported?
>
> This goes on since forever - for example, this patch applies to 0.12
> too (modulo pci_dma_read() changes which makes the context differ).
> It applies cleanly to 1.0 stable.
Therefore we should cc qemu-stable. :)
Andreas
>>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>>> ---
>>> hw/e1000.c | 3 +++
>>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/hw/e1000.c b/hw/e1000.c
>>> index a29c944..86c5416 100644
>>> --- a/hw/e1000.c
>>> +++ b/hw/e1000.c
>>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>> bytes = split_size;
>>> if (tp->size + bytes > msh)
>>> bytes = msh - tp->size;
>>> +
>>> + bytes = MIN(sizeof(tp->data) - tp->size, bytes);
>>> pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>>> if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
>>> memmove(tp->header, tp->data, hdr);
>>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
>>> // context descriptor TSE is not set, while data descriptor TSE is set
>>> DBGOUT(TXERR, "TCP segmentaion Error\n");
>>> } else {
>>> + split_size = MIN(sizeof(tp->data) - tp->size, split_size);
>>> pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
>>> tp->size += split_size;
>>> }
>>> --
>>> 1.7.4.1
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-02-02 16:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-23 13:32 [Qemu-devel] [PATCH] e1000: bounds packet size against buffer size Anthony Liguori
2012-02-02 11:15 ` Stefano Stabellini
2012-02-02 15:24 ` Michael Tokarev
2012-02-02 16:00 ` Andreas Färber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).