Add vPMU support and fix for CVE-2012-0029.
This commit is contained in:
Justin M. Forbes
parent
ff620283c7
commit
4d9bbd115e
37
0026-e1000-bounds-packet-size-against-buffer-size.patch
Normal file
37
0026-e1000-bounds-packet-size-against-buffer-size.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001
|
||||
From: Anthony Liguori <aliguori@us.ibm.com>
|
||||
Date: Mon, 23 Jan 2012 07:30:43 -0600
|
||||
Subject: [PATCH 26/26] e1000: bounds packet size against buffer size
|
||||
|
||||
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
|
||||
as CVE-2012-0029.
|
||||
|
||||
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||
---
|
||||
hw/e1000.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/hw/e1000.c b/hw/e1000.c
|
||||
index 986ed9c..e164d79 100644
|
||||
--- a/hw/e1000.c
|
||||
+++ b/hw/e1000.c
|
||||
@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
bytes = split_size;
|
||||
if (tp->size + bytes > msh)
|
||||
bytes = msh - tp->size;
|
||||
+
|
||||
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
|
||||
pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
|
||||
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
|
||||
memmove(tp->header, tp->data, hdr);
|
||||
@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||||
// context descriptor TSE is not set, while data descriptor TSE is set
|
||||
DBGOUT(TXERR, "TCP segmentaion Error\n");
|
||||
} else {
|
||||
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
|
||||
pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
|
||||
tp->size += split_size;
|
||||
}
|
||||
--
|
||||
1.7.7.6
|
||||
|
||||
37
enable_architectural_PMU_cpuid_leaf.patch
Normal file
37
enable_architectural_PMU_cpuid_leaf.patch
Normal file
@ -0,0 +1,37 @@
|
||||
commit a0fa82085e175bf8ce6d69a3f83695f81af2a649
|
||||
Author: Gleb Natapov <gleb@redhat.com>
|
||||
Date: Thu Dec 15 12:44:05 2011 +0200
|
||||
|
||||
enable architectural PMU cpuid leaf for kvm
|
||||
|
||||
Signed-off-by: Gleb Natapov <gleb@redhat.com>
|
||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
||||
|
||||
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
|
||||
index 0b3af90..91a104b 100644
|
||||
--- a/target-i386/cpuid.c
|
||||
+++ b/target-i386/cpuid.c
|
||||
@@ -1180,10 +1180,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
|
||||
break;
|
||||
case 0xA:
|
||||
/* Architectural Performance Monitoring Leaf */
|
||||
- *eax = 0;
|
||||
- *ebx = 0;
|
||||
- *ecx = 0;
|
||||
- *edx = 0;
|
||||
+ if (kvm_enabled()) {
|
||||
+ KVMState *s = env->kvm_state;
|
||||
+
|
||||
+ *eax = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EAX);
|
||||
+ *ebx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EBX);
|
||||
+ *ecx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_ECX);
|
||||
+ *edx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EDX);
|
||||
+ } else {
|
||||
+ *eax = 0;
|
||||
+ *ebx = 0;
|
||||
+ *ecx = 0;
|
||||
+ *edx = 0;
|
||||
+ }
|
||||
break;
|
||||
case 0xD:
|
||||
/* Processor Extended State */
|
||||
15
qemu.spec
15
qemu.spec
@ -1,7 +1,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
@ -64,7 +64,8 @@ Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
|
||||
Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
|
||||
Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
|
||||
Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
|
||||
Patch26: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
|
||||
Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch
|
||||
Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
|
||||
|
||||
# USB Redirect patches should go upstream soon!
|
||||
Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch
|
||||
@ -89,6 +90,9 @@ Patch118: 0118-char-Disable-write-callback-if-throttled-chardev-is-.patch
|
||||
# General bug fixes
|
||||
Patch201: Fix_save-restore_of_in-kernel_i8259.patch
|
||||
|
||||
# Feature patches, should be in 1.1 before release
|
||||
Patch301: enable_architectural_PMU_cpuid_leaf.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
|
||||
BuildRequires: libaio-devel
|
||||
@ -333,6 +337,7 @@ such as kvm_stat.
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
@ -355,6 +360,8 @@ such as kvm_stat.
|
||||
|
||||
%patch201 -p1
|
||||
|
||||
%patch301 -p1
|
||||
|
||||
%build
|
||||
# By default we build everything, but allow x86 to build a minimal version
|
||||
# with only similar arch target support
|
||||
@ -733,6 +740,10 @@ fi
|
||||
%{_mandir}/man1/qemu-img.1*
|
||||
|
||||
%changelog
|
||||
* Tue Jan 24 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-3
|
||||
- Add support for vPMU
|
||||
- e1000: bounds packet size against buffer size CVE-2012-0029
|
||||
|
||||
* Fri Jan 13 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-2
|
||||
- Add patches for USB redirect bits
|
||||
- Remove palcode-clipper, we don't build it
|
||||
|
||||
Loading…
Reference in New Issue
Block a user