Add vPMU support and fix for CVE-2012-0029.

This commit is contained in:
Justin M. Forbes 2012-01-24 16:25:49 -06:00
parent ff620283c7
commit 4d9bbd115e
3 changed files with 87 additions and 2 deletions

View File

@ -0,0 +1,37 @@
From d0ed2d2e8e863a9a64c9fc9c08fa68bee546ad00 Mon Sep 17 00:00:00 2001
From: Anthony Liguori <aliguori@us.ibm.com>
Date: Mon, 23 Jan 2012 07:30:43 -0600
Subject: [PATCH 26/26] e1000: bounds packet size against buffer size
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
---
hw/e1000.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index 986ed9c..e164d79 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
bytes = split_size;
if (tp->size + bytes > msh)
bytes = msh - tp->size;
+
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
memmove(tp->header, tp->data, hdr);
@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");
} else {
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
tp->size += split_size;
}
--
1.7.7.6

View File

@ -0,0 +1,37 @@
commit a0fa82085e175bf8ce6d69a3f83695f81af2a649
Author: Gleb Natapov <gleb@redhat.com>
Date: Thu Dec 15 12:44:05 2011 +0200
enable architectural PMU cpuid leaf for kvm
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 0b3af90..91a104b 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -1180,10 +1180,19 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
break;
case 0xA:
/* Architectural Performance Monitoring Leaf */
- *eax = 0;
- *ebx = 0;
- *ecx = 0;
- *edx = 0;
+ if (kvm_enabled()) {
+ KVMState *s = env->kvm_state;
+
+ *eax = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EAX);
+ *ebx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EBX);
+ *ecx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_ECX);
+ *edx = kvm_arch_get_supported_cpuid(s, 0xA, count, R_EDX);
+ } else {
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
+ *edx = 0;
+ }
break;
case 0xD:
/* Processor Extended State */

View File

@ -1,7 +1,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.0
Release: 2%{?dist}
Release: 3%{?dist}
# Epoch because we pushed a qemu-1.0 package
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@ -64,7 +64,8 @@ Patch22: 0022-coroutine-switch-per-thread-free-pool-to-a-global-po.patch
Patch23: 0023-qemu-img-rebase-Fix-for-undersized-backing-files.patch
Patch24: 0024-Documentation-Add-qemu-img-t-parameter-in-man-page.patch
Patch25: 0025-rbd-always-set-out-parameter-in-qemu_rbd_snap_list.patch
Patch26: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
Patch26: 0026-e1000-bounds-packet-size-against-buffer-size.patch
Patch27: virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch
# USB Redirect patches should go upstream soon!
Patch101: 0101-usb-redir-Clear-iso-irq-error-when-stopping-the-stre.patch
@ -89,6 +90,9 @@ Patch118: 0118-char-Disable-write-callback-if-throttled-chardev-is-.patch
# General bug fixes
Patch201: Fix_save-restore_of_in-kernel_i8259.patch
# Feature patches, should be in 1.1 before release
Patch301: enable_architectural_PMU_cpuid_leaf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
BuildRequires: libaio-devel
@ -333,6 +337,7 @@ such as kvm_stat.
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch101 -p1
%patch102 -p1
@ -355,6 +360,8 @@ such as kvm_stat.
%patch201 -p1
%patch301 -p1
%build
# By default we build everything, but allow x86 to build a minimal version
# with only similar arch target support
@ -733,6 +740,10 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
* Tue Jan 24 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-3
- Add support for vPMU
- e1000: bounds packet size against buffer size CVE-2012-0029
* Fri Jan 13 2012 Justin M. Forbes <jforbes@redhat.com> - 2:1.0-2
- Add patches for USB redirect bits
- Remove palcode-clipper, we don't build it