[Pkg-xen-changes] r1135 - in branches/wheezy/xen/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Sat Jan 19 12:32:10 UTC 2013
Author: waldi
Date: Sat Jan 19 12:32:09 2013
New Revision: 1135
Log:
* debian/changelog: Update.
* debian/patches: Add fix for CVE-2012-6075.
Added:
branches/wheezy/xen/debian/patches/CVE-2012-6075-1
branches/wheezy/xen/debian/patches/CVE-2012-6075-2
Modified:
branches/wheezy/xen/debian/changelog
branches/wheezy/xen/debian/patches/series
Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog Sat Jan 19 12:12:11 2013 (r1134)
+++ branches/wheezy/xen/debian/changelog Sat Jan 19 12:32:09 2013 (r1135)
@@ -2,6 +2,8 @@
* Fix error in VT-d interrupt remapping source validation.
CVE-2012-5634
+ * Fix buffer overflow in qemu e1000 emulation.
+ CVE-2012-6075
-- Bastian Blank <waldi at debian.org> Sat, 19 Jan 2013 13:04:21 +0100
Added: branches/wheezy/xen/debian/patches/CVE-2012-6075-1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-6075-1 Sat Jan 19 12:32:09 2013 (r1135)
@@ -0,0 +1,35 @@
+Description: e1000: Discard packets that are too long if !SBP and !LPE
+ The e1000_receive function for the e1000 needs to discard packets longer than
+ 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+ this behavior and allocates memory based on this assumption.
+ From: Michael Contreras <michael at inetric.com>
+Origin: upstream
+Id: CVE-2012-6075
+---
+--- a/qemu/hw/e1000.c
++++ b/qemu/hw/e1000.c
+@@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define REG_IOADDR 0x0
+ #define REG_IODATA 0x4
+
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+ * HW models:
+ * E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -628,6 +631,14 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
+ return;
+ }
+
++ /* Discard oversized packets if !LPE and !SBP. */
++ if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++ DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
++ return;
++ }
++
+ if (!receive_filter(s, buf, size))
+ return;
+
Added: branches/wheezy/xen/debian/patches/CVE-2012-6075-2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-6075-2 Sat Jan 19 12:32:09 2013 (r1135)
@@ -0,0 +1,28 @@
+Description: e1000: Discard oversized packets based on SBP|LPE
+ Discard packets longer than 16384 when !SBP to match the hardware behavior.
+From: Michael Contreras <michael at inetric.com>
+Id: CVE-2012-6075
+---
+--- a/qemu/hw/e1000.c
++++ b/qemu/hw/e1000.c
+@@ -57,6 +57,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
+ /*
+ * HW models:
+@@ -632,8 +634,9 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
+ }
+
+ /* Discard oversized packets if !LPE and !SBP. */
+- if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++ (size > MAXIMUM_ETHERNET_VLAN_SIZE
++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+ DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
+ return;
Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series Sat Jan 19 12:12:11 2013 (r1134)
+++ branches/wheezy/xen/debian/patches/series Sat Jan 19 12:32:09 2013 (r1135)
@@ -23,6 +23,8 @@
CVE-2012-5514
CVE-2012-5515
CVE-2012-5634
+CVE-2012-6075-1
+CVE-2012-6075-2
upstream-23001:9eb9948904cd
upstream-23002:eb64b8f8eebb
More information about the Pkg-xen-changes
mailing list