From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:50892)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <afaerber@suse.de>) id 1Rsz7L-0000eC-V2
	for qemu-devel@nongnu.org; Thu, 02 Feb 2012 11:02:40 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <afaerber@suse.de>) id 1Rsz7H-0001ut-H1
	for qemu-devel@nongnu.org; Thu, 02 Feb 2012 11:02:35 -0500
Message-ID: <4F2AB305.7000301@suse.de>
Date: Thu, 02 Feb 2012 17:00:05 +0100
From: =?ISO-8859-1?Q?Andreas_F=E4rber?= <afaerber@suse.de>
MIME-Version: 1.0
References: <1327325535-3177-1-git-send-email-aliguori@us.ibm.com>
	<alpine.DEB.2.00.1202021113270.3196@kaball-desktop>
	<4F2AAAA9.1080308@msgid.tls.msk.ru>
In-Reply-To: <4F2AAAA9.1080308@msgid.tls.msk.ru>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH] e1000: bounds packet size against buffer
 size
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Anthony Liguori <aliguori@us.ibm.com>, qemu-stable@nongnu.org, Michael Tokarev <mjt@tls.msk.ru>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>

Am 02.02.2012 16:24, schrieb Michael Tokarev:
> On 02.02.2012 15:15, Stefano Stabellini wrote:
>> On Mon, 23 Jan 2012, Anthony Liguori wrote:
>>> Otherwise we can write beyond the buffer and corrupt memory.  This is=
 tracked
>>> as CVE-2012-0029.
>>
>> The stable-1.0 branch looks vulnerable too, shouldn't this patch be
>> backported?
>=20
> This goes on since forever - for example, this patch applies to 0.12
> too (modulo pci_dma_read() changes which makes the context differ).
> It applies cleanly to 1.0 stable.

Therefore we should cc qemu-stable. :)

Andreas

>>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>>> ---
>>>  hw/e1000.c |    3 +++
>>>  1 files changed, 3 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/hw/e1000.c b/hw/e1000.c
>>> index a29c944..86c5416 100644
>>> --- a/hw/e1000.c
>>> +++ b/hw/e1000.c
>>> @@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_de=
sc *dp)
>>>              bytes =3D split_size;
>>>              if (tp->size + bytes > msh)
>>>                  bytes =3D msh - tp->size;
>>> +
>>> +            bytes =3D MIN(sizeof(tp->data) - tp->size, bytes);
>>>              pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
>>>              if ((sz =3D tp->size + bytes) >=3D hdr && tp->size < hdr=
)
>>>                  memmove(tp->header, tp->data, hdr);
>>> @@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_de=
sc *dp)
>>>          // context descriptor TSE is not set, while data descriptor =
TSE is set
>>>          DBGOUT(TXERR, "TCP segmentaion Error\n");
>>>      } else {
>>> +        split_size =3D MIN(sizeof(tp->data) - tp->size, split_size);
>>>          pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size)=
;
>>>          tp->size +=3D split_size;
>>>      }
>>> --=20
>>> 1.7.4.1

--=20
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 N=FCrnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imend=F6rffer; HRB 16746 AG N=FCrnbe=
rg