[Pkg-xen-changes] r1135 - in branches/wheezy/xen/debian: . patches

Bastian Blank waldi at alioth.debian.org
Sat Jan 19 12:32:10 UTC 2013


Author: waldi
Date: Sat Jan 19 12:32:09 2013
New Revision: 1135

Log:
* debian/changelog: Update.
* debian/patches: Add fix for CVE-2012-6075.

Added:
   branches/wheezy/xen/debian/patches/CVE-2012-6075-1
   branches/wheezy/xen/debian/patches/CVE-2012-6075-2
Modified:
   branches/wheezy/xen/debian/changelog
   branches/wheezy/xen/debian/patches/series

Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog	Sat Jan 19 12:12:11 2013	(r1134)
+++ branches/wheezy/xen/debian/changelog	Sat Jan 19 12:32:09 2013	(r1135)
@@ -2,6 +2,8 @@
 
   * Fix error in VT-d interrupt remapping source validation.
     CVE-2012-5634
+  * Fix buffer overflow in qemu e1000 emulation.
+    CVE-2012-6075
 
  -- Bastian Blank <waldi at debian.org>  Sat, 19 Jan 2013 13:04:21 +0100
 

Added: branches/wheezy/xen/debian/patches/CVE-2012-6075-1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-6075-1	Sat Jan 19 12:32:09 2013	(r1135)
@@ -0,0 +1,35 @@
+Description: e1000: Discard packets that are too long if !SBP and !LPE
+ The e1000_receive function for the e1000 needs to discard packets longer than
+ 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+ this behavior and allocates memory based on this assumption.
+ From: Michael Contreras <michael at inetric.com>
+Origin: upstream
+Id: CVE-2012-6075
+---
+--- a/qemu/hw/e1000.c
++++ b/qemu/hw/e1000.c
+@@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define REG_IOADDR 0x0
+ #define REG_IODATA 0x4
+ 
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+  * HW models:
+  *  E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -628,6 +631,14 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
+         return;
+     }
+ 
++    /* Discard oversized packets if !LPE and !SBP. */
++    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++        DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
++        return;
++    }
++
+     if (!receive_filter(s, buf, size))
+         return;
+ 

Added: branches/wheezy/xen/debian/patches/CVE-2012-6075-2
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-6075-2	Sat Jan 19 12:32:09 2013	(r1135)
@@ -0,0 +1,28 @@
+Description: e1000: Discard oversized packets based on SBP|LPE
+ Discard packets longer than 16384 when !SBP to match the hardware behavior.
+From: Michael Contreras <michael at inetric.com>
+Id: CVE-2012-6075
+---
+--- a/qemu/hw/e1000.c
++++ b/qemu/hw/e1000.c
+@@ -57,6 +57,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -632,8 +634,9 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
+         return;

Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series	Sat Jan 19 12:12:11 2013	(r1134)
+++ branches/wheezy/xen/debian/patches/series	Sat Jan 19 12:32:09 2013	(r1135)
@@ -23,6 +23,8 @@
 CVE-2012-5514
 CVE-2012-5515
 CVE-2012-5634
+CVE-2012-6075-1
+CVE-2012-6075-2
 
 upstream-23001:9eb9948904cd
 upstream-23002:eb64b8f8eebb



More information about the Pkg-xen-changes mailing list