parent
495677c360
commit
259bd79528
|
@ -0,0 +1,89 @@
|
|||
From 55c6a5611acc88b9c97fff3324fc743fafc6d0c7 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Contreras <michael@inetric.com>
|
||||
Date: Sun, 2 Dec 2012 20:11:22 -0800
|
||||
Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE
|
||||
|
||||
The e1000_receive function for the e1000 needs to discard packets longer than
|
||||
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
|
||||
this behavior and allocates memory based on this assumption.
|
||||
|
||||
Signed-off-by: Michael Contreras <michael@inetric.com>
|
||||
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||
(cherry picked from commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb)
|
||||
|
||||
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
||||
---
|
||||
hw/e1000.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/e1000.c b/hw/e1000.c
|
||||
index 4d4ac32..b1d8508 100644
|
||||
--- a/hw/e1000.c
|
||||
+++ b/hw/e1000.c
|
||||
@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
|
||||
#define PNPMMIO_SIZE 0x20000
|
||||
#define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */
|
||||
|
||||
+/* this is the size past which hardware will drop packets when setting LPE=0 */
|
||||
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
|
||||
+
|
||||
/*
|
||||
* HW models:
|
||||
* E1000_DEV_ID_82540EM works with Windows and Linux
|
||||
@@ -795,6 +798,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
|
||||
size = sizeof(min_buf);
|
||||
}
|
||||
|
||||
+ /* Discard oversized packets if !LPE and !SBP. */
|
||||
+ if (size > MAXIMUM_ETHERNET_VLAN_SIZE
|
||||
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
|
||||
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
|
||||
+ return size;
|
||||
+ }
|
||||
+
|
||||
if (!receive_filter(s, buf, size))
|
||||
return size;
|
||||
|
||||
--
|
||||
1.8.1
|
||||
From 2c0331f4f7d241995452b99afaf0aab00493334a Mon Sep 17 00:00:00 2001
|
||||
From: Michael Contreras <michael@inetric.com>
|
||||
Date: Wed, 5 Dec 2012 13:31:30 -0500
|
||||
Subject: [PATCH] e1000: Discard oversized packets based on SBP|LPE
|
||||
|
||||
Discard packets longer than 16384 when !SBP to match the hardware behavior.
|
||||
|
||||
Signed-off-by: Michael Contreras <michael@inetric.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
---
|
||||
hw/e1000.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/e1000.c b/hw/e1000.c
|
||||
index 92fb00a..8fd1654 100644
|
||||
--- a/hw/e1000.c
|
||||
+++ b/hw/e1000.c
|
||||
@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
|
||||
|
||||
/* this is the size past which hardware will drop packets when setting LPE=0 */
|
||||
#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
|
||||
+/* this is the size past which hardware will drop packets when setting LPE=1 */
|
||||
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
|
||||
|
||||
/*
|
||||
* HW models:
|
||||
@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
|
||||
}
|
||||
|
||||
/* Discard oversized packets if !LPE and !SBP. */
|
||||
- if (size > MAXIMUM_ETHERNET_VLAN_SIZE
|
||||
- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
|
||||
+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
|
||||
+ (size > MAXIMUM_ETHERNET_VLAN_SIZE
|
||||
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
|
||||
&& !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
|
||||
return size;
|
||||
}
|
||||
--
|
||||
1.8.1
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 0.15.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
|
@ -135,6 +135,8 @@ Patch242: %{name}-spice-server-threading.patch
|
|||
Patch243: %{name}-fix-text-mode-screendumps.patch
|
||||
# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
|
||||
Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
|
||||
# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
|
||||
Patch245: 0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
|
||||
|
@ -438,6 +440,7 @@ such as kvm_stat.
|
|||
%patch242 -p1
|
||||
%patch243 -p1
|
||||
%patch244 -p1
|
||||
%patch245 -p1
|
||||
|
||||
%build
|
||||
# By default we build everything, but allow x86 to build a minimal version
|
||||
|
@ -826,6 +829,9 @@ fi
|
|||
%{_mandir}/man1/qemu-img.1*
|
||||
|
||||
%changelog
|
||||
* Wed Jan 16 2013 Cole Robinson <crobinso@redhat.com> - 2:0.15.1-9
|
||||
- CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
|
||||
|
||||
* Sun Oct 07 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-8
|
||||
- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
|
||||
|
||||
|
|
Loading…
Reference in New Issue