CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)

0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch

@@ -0,0 +1,89 @@
+From 55c6a5611acc88b9c97fff3324fc743fafc6d0c7 Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael@inetric.com>
+Date: Sun, 2 Dec 2012 20:11:22 -0800
+Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE
+
+The e1000_receive function for the e1000 needs to discard packets longer than
+1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
+this behavior and allocates memory based on this assumption.
+
+Signed-off-by: Michael Contreras <michael@inetric.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb)
+
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+---
+ hw/e1000.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 4d4ac32..b1d8508 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ #define PNPMMIO_SIZE      0x20000
+ #define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
+ 
++/* this is the size past which hardware will drop packets when setting LPE=0 */
++#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++
+ /*
+  * HW models:
+  *  E1000_DEV_ID_82540EM works with Windows and Linux
+@@ -795,6 +798,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+         size = sizeof(min_buf);
+     }
+ 
++    /* Discard oversized packets if !LPE and !SBP. */
++    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
++        return size;
++    }
++
+     if (!receive_filter(s, buf, size))
+         return size;
+ 
+-- 
+1.8.1
+From 2c0331f4f7d241995452b99afaf0aab00493334a Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael@inetric.com>
+Date: Wed, 5 Dec 2012 13:31:30 -0500
+Subject: [PATCH] e1000: Discard oversized packets based on SBP|LPE
+
+Discard packets longer than 16384 when !SBP to match the hardware behavior.
+
+Signed-off-by: Michael Contreras <michael@inetric.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/e1000.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 92fb00a..8fd1654 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         return size;
+     }
+-- 
+1.8.1
+

0244-console-bounds-check-whenever-changing-the-cursor-du.patch

@@ -0,0 +1,133 @@
+From 840031ac0f74c51622490bb72e6671f7e35b95ff Mon Sep 17 00:00:00 2001
+Message-Id: <840031ac0f74c51622490bb72e6671f7e35b95ff.1349642201.git.crobinso@redhat.com>
+From: Ian Campbell <ian.campbell@citrix.com>
+Date: Tue, 4 Sep 2012 10:26:09 -0500
+Subject: [PATCH] console: bounds check whenever changing the cursor due to an
+ escape code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is XSA-17 / CVE-2012-3515
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743)
+
+[AF: Resolves BNC#777084]
+Signed-off-by: Andreas Färber <afaerber@suse.de>
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ console.c | 57 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/console.c b/console.c
+index 07c82b8..f9eb5a1 100644
+--- a/console.c
++++ b/console.c
+@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+     update_xy(s, x, y);
+ }
+ 
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++    if (x < 0) {
++        x = 0;
++    }
++    if (y < 0) {
++        y = 0;
++    }
++    if (y >= s->height) {
++        y = s->height - 1;
++    }
++    if (x >= s->width) {
++        x = s->width - 1;
++    }
++
++    s->x = x;
++    s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+     TextCell *c;
+@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch)
+                     s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+             }
+         } else {
+-            s->nb_esc_params++;
++            if (s->nb_esc_params < MAX_ESC_PARAMS)
++                s->nb_esc_params++;
+             if (ch == ';')
+                 break;
+ #ifdef DEBUG_CONSOLE
+@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch)
+                 if (s->esc_params[0] == 0) {
+                     s->esc_params[0] = 1;
+                 }
+-                s->y -= s->esc_params[0];
+-                if (s->y < 0) {
+-                    s->y = 0;
+-                }
++                set_cursor(s, s->x, s->y - s->esc_params[0]);
+                 break;
+             case 'B':
+                 /* move cursor down */
+                 if (s->esc_params[0] == 0) {
+                     s->esc_params[0] = 1;
+                 }
+-                s->y += s->esc_params[0];
+-                if (s->y >= s->height) {
+-                    s->y = s->height - 1;
+-                }
++                set_cursor(s, s->x, s->y + s->esc_params[0]);
+                 break;
+             case 'C':
+                 /* move cursor right */
+                 if (s->esc_params[0] == 0) {
+                     s->esc_params[0] = 1;
+                 }
+-                s->x += s->esc_params[0];
+-                if (s->x >= s->width) {
+-                    s->x = s->width - 1;
+-                }
++                set_cursor(s, s->x + s->esc_params[0], s->y);
+                 break;
+             case 'D':
+                 /* move cursor left */
+                 if (s->esc_params[0] == 0) {
+                     s->esc_params[0] = 1;
+                 }
+-                s->x -= s->esc_params[0];
+-                if (s->x < 0) {
+-                    s->x = 0;
+-                }
++                set_cursor(s, s->x - s->esc_params[0], s->y);
+                 break;
+             case 'G':
+                 /* move cursor to column */
+-                s->x = s->esc_params[0] - 1;
+-                if (s->x < 0) {
+-                    s->x = 0;
+-                }
++                set_cursor(s, s->esc_params[0] - 1, s->y);
+                 break;
+             case 'f':
+             case 'H':
+                 /* move cursor to row, column */
+-                s->x = s->esc_params[1] - 1;
+-                if (s->x < 0) {
+-                    s->x = 0;
+-                }
+-                s->y = s->esc_params[0] - 1;
+-                if (s->y < 0) {
+-                    s->y = 0;
+-                }
++                set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+                 break;
+             case 'J':
+                 switch (s->esc_params[0]) {
+-- 
+1.7.11.4
+

qemu.spec

@@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.15.1
-Release: 7%{?dist}
+Release: 9%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -133,6 +133,10 @@ Patch241: %{name}-fix-systemtap.patch
 Patch242: %{name}-spice-server-threading.patch
 # Fix text mode screendumps (bz 819155)
 Patch243: %{name}-fix-text-mode-screendumps.patch
+# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
+Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
+# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304)
+Patch245: 0001-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -435,6 +439,8 @@ such as kvm_stat.
 %patch241 -p1
 %patch242 -p1
 %patch243 -p1
+%patch244 -p1
+%patch245 -p1
 
 %build
 # By default we build everything, but allow x86 to build a minimal version
@@ -823,6 +829,12 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Wed Jan 16 2013 Cole Robinson <crobinso@redhat.com> - 2:0.15.1-9
+- CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304)
+
+* Sun Oct 07 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-8
+- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
+
 * Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-7
 - Pull patches from 0.15 stable
 - CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz