Pull up fix from Xen repository, fixing CVE-2012-0029:

Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation allows the guest to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. Bump PKGREVISION
author: bouyer <bouyer> 2012-02-03 17:00:24 +0000
committer: bouyer <bouyer> 2012-02-03 17:00:24 +0000
commit: 2db3a6b131de52eb002a351846f77195f7cbed87 (patch)
tree: 602a75a421a50cd10451b2be8b4f81184fb6c6a0 /sysutils
parent: e47a3037291387238d996097e1411c603d0f1e67 (diff)
download: pkgsrc-2db3a6b131de52eb002a351846f77195f7cbed87.tar.gz
6 files changed, 92 insertions, 6 deletions
diff --git a/sysutils/xentools33/Makefile b/sysutils/xentools33/Makefile
index 2134295d6f2..024b27aebb3 100644
--- a/sysutils/xentools33/Makefile
+++ b/sysutils/xentools33/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.28 2012/01/09 14:06:34 cegger Exp $
+# $NetBSD: Makefile,v 1.29 2012/02/03 17:00:24 bouyer Exp $
 #
 
 VERSION=		3.3.2
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools33-${VERSION}
-PKGREVISION=		9
+PKGREVISION=		10
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=		.tar.gz
diff --git a/sysutils/xentools33/distinfo b/sysutils/xentools33/distinfo
index f708617548d..94606839205 100644
--- a/sysutils/xentools33/distinfo
+++ b/sysutils/xentools33/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.26 2012/01/09 14:06:34 cegger Exp $
+$NetBSD: distinfo,v 1.27 2012/02/03 17:00:24 bouyer Exp $
 
 SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4
 RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b
@@ -56,4 +56,5 @@ SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3
 SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957
 SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c
 SHA1 (patch-io_ring_h) = 83b01462d5d2b48b4f97b3d9a7980aa3300ad0b3
+SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 8628504e1dfd013254f816cb4feeb7548b9ad2ec
 SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5
diff --git a/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029
new file mode 100644
index 00000000000..533f1503ceb
--- /dev/null
+++ b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029
@@ -0,0 +1,39 @@
+$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $
+
+Backported from:
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+
+
+--- ioemu/hw/e1000.c.orig	2009-08-06 14:56:34.000000000 +0200
++++ ioemu/hw/e1000.c	2012-02-03 14:51:56.000000000 +0100
+@@ -397,6 +401,8 @@
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++	    bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -412,6 +418,7 @@
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++	split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index cb6b1868ad2..09c4e3651d1 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.14 2012/01/26 11:19:23 cegger Exp $
+# $NetBSD: Makefile,v 1.15 2012/02/03 17:00:25 bouyer Exp $
 #
 # VERSION is set in version.mk as it is shared with other packages
 .include		"version.mk"
 
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index ad0e97ee9c6..83162ae9fcd 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2012/01/26 11:19:23 cegger Exp $
+$NetBSD: distinfo,v 1.17 2012/02/03 17:00:25 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -37,5 +37,6 @@ SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d
 SHA1 (patch-df) = d20bf9d3fd05f5334f77c9154bf0fb9944c1292c
 SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0
 SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6
+SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 064ba74795e7a1ceb863d1f7bc171f3841c81b8a
 SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5
 SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7
diff --git a/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029 b/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029
new file mode 100644
index 00000000000..6bd160103c8
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029
@@ -0,0 +1,45 @@
+$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $
+
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index bb3689e..97104ed 100644
+--- ioemu-qemu-xen/hw/e1000.c.orig
++++ ioemu-qemu-xen/hw/e1000.c
+@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.2.5
+
author	bouyer <bouyer>	2012-02-03 17:00:24 +0000
committer	bouyer <bouyer>	2012-02-03 17:00:24 +0000
commit	2db3a6b131de52eb002a351846f77195f7cbed87 (patch)
tree	602a75a421a50cd10451b2be8b4f81184fb6c6a0 /sysutils
parent	e47a3037291387238d996097e1411c603d0f1e67 (diff)
download	pkgsrc-2db3a6b131de52eb002a351846f77195f7cbed87.tar.gz