From 208d730cf2de37efd42f1e7d64a43a6b10b261a5 Mon Sep 17 00:00:00 2001 From: bouyer Date: Fri, 3 Feb 2012 17:00:24 +0000 Subject: Pull up fix from Xen repository, fixing CVE-2012-0029: Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation allows the guest to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. Bump PKGREVISION --- sysutils/xentools33/Makefile | 4 +-- sysutils/xentools33/distinfo | 3 +- .../patches/patch-qemu-e1000-CVSE-2012-0029 | 39 ++++++++++++++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 (limited to 'sysutils/xentools33') diff --git a/sysutils/xentools33/Makefile b/sysutils/xentools33/Makefile index 2134295d6f2..024b27aebb3 100644 --- a/sysutils/xentools33/Makefile +++ b/sysutils/xentools33/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.28 2012/01/09 14:06:34 cegger Exp $ +# $NetBSD: Makefile,v 1.29 2012/02/03 17:00:24 bouyer Exp $ # VERSION= 3.3.2 DISTNAME= xen-${VERSION} PKGNAME= xentools33-${VERSION} -PKGREVISION= 9 +PKGREVISION= 10 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ EXTRACT_SUFX= .tar.gz diff --git a/sysutils/xentools33/distinfo b/sysutils/xentools33/distinfo index f708617548d..94606839205 100644 --- a/sysutils/xentools33/distinfo +++ b/sysutils/xentools33/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.26 2012/01/09 14:06:34 cegger Exp $ +$NetBSD: distinfo,v 1.27 2012/02/03 17:00:24 bouyer Exp $ SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4 RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b @@ -56,4 +56,5 @@ SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3 SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957 SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c SHA1 (patch-io_ring_h) = 83b01462d5d2b48b4f97b3d9a7980aa3300ad0b3 +SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 8628504e1dfd013254f816cb4feeb7548b9ad2ec SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5 diff --git a/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 new file mode 100644 index 00000000000..533f1503ceb --- /dev/null +++ b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 @@ -0,0 +1,39 @@ +$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $ + +Backported from: +From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Thu, 2 Feb 2012 13:47:06 +0000 +Subject: [PATCH] e1000: bounds packet size against buffer size + +Otherwise we can write beyond the buffer and corrupt memory. This is tracked +as CVE-2012-0029. + +Signed-off-by: Anthony Liguori + +(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840 + by Ian Campbell.) + +Signed-off-by: Ian Campbell +(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8) + + +--- ioemu/hw/e1000.c.orig 2009-08-06 14:56:34.000000000 +0200 ++++ ioemu/hw/e1000.c 2012-02-03 14:51:56.000000000 +0100 +@@ -397,6 +401,8 @@ + bytes = split_size; + if (tp->size + bytes > msh) + bytes = msh - tp->size; ++ ++ bytes = MIN(sizeof(tp->data) - tp->size, bytes); + cpu_physical_memory_read(addr, tp->data + tp->size, bytes); + if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) + memmove(tp->header, tp->data, hdr); +@@ -412,6 +418,7 @@ + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); + } else { ++ split_size = MIN(sizeof(tp->data) - tp->size, split_size); + cpu_physical_memory_read(addr, tp->data + tp->size, split_size); + tp->size += split_size; + } -- cgit v1.2.3