[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 6 (CVE-2012-0029) - HVM e1000, buffer overflow
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-0029 / XSA-6 qemu-dm Local Privilege Escalation Vulnerability ISSUE DESCRIPTION ================= Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation allows the guest to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. Upstream qemu has already released an advisory hence there is no embargo. VULNERABLE SYSTEMS ================== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. Hosts which run only PV guests or which use the default rtl813939 NIC are not effected. MITIGATION ========== Switching all HVM guests to a different emulated NIC (e.g. rtl8139, which is the default) or PV network drivers will remove this vulnerability. Enabling device model stub domains for such guests will also mitigate any arbitrary code execution exploit by restricting it to the stub domain only. RESOLUTION ========== This issue is resolved in the following changesets: qemu-xen-unstable.git ebe37b2a3f844bad02dcc30d081f39eda06118f8 qemu-xen-4.1-testing.git 3cf61880403b4e484539596a95937cc066243388 qemu-xen-4.0-testing.git 36984c285a765541b04f378bfa84d2c850c167d3 In each case the QEMU_TAG in the corresponding xen.hg repository has been updated so that a completely fresh build will pick up the fix: xen-unstable.hg 24673:fcc071c31e3a3ccc5dfaefd091eedbb608604928 xen-4.1-testing.hg 23224:cccd6c68e1b9527f556deef760713380801db9b5 xen-4.0-testing.hg 21563:3feb83eed6bdd515b90aca528c1ebd83dfb7a378 (Currently in http://xenbits.xen.org/staging/xen-*.hg; will be in http://xenbits.xen.org/staging/xen*.hg after automated tests.) PATCH INFORMATION ================= The patch is 65f82df0d7a71ce1b10cd4c5ab08888d176ac840 in the upstream qemu.git tree. A backported version, as has been applied to qemu-xen-*.git, is attached as cve-2012-0029-qemu-xen-unstable.patch. $ sha256sum cve-2012-0029-qemu-xen-unstable.patch dae528d93e44494ad0d682dc40b19ff8232cff5807ff331bef3d91ca169de9af cve-2012-0029-qemu-xen-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPKqLEAAoJEIP+FMlX6CvZoNIIAJIFsDhYfTBS9+06lMm6hX9u lPJG/Or2d5KhfaQZlBfLG0SRG8wtALsmXY5z6anxFG+NG7uBDb3oOj+gd+7d/gIk 8NXQPgs4/MpoaeSjdxm/+XkBfNSladUy8S47BLvpExtW68WLQ5EEw12jU0hGgZEJ /pI7in1Ypw3PBAFQM7hHraqV4u0akOes+do/TXHA98P/xE4UG3dsEz+YSWjnxw3C wd7xibqYNU7/OQmWbnc6CSGo6pEgrg7UsYe+KIs7H83oHrZgQpnDpqzGyAldBFqW hheFNzCKe7armeMDqxhm3D3ksMjck2yhENb7D9ebJNl/SXle/dLoyOfAOCWEZ1A= =sC0B -----END PGP SIGNATURE----- diff --git a/hw/e1000.c b/hw/e1000.c index bb3689e..97104ed 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) bytes = split_size; if (tp->size + bytes > msh) bytes = msh - tp->size; + + bytes = MIN(sizeof(tp->data) - tp->size, bytes); cpu_physical_memory_read(addr, tp->data + tp->size, bytes); if ((sz = tp->size + bytes) >= hdr && tp->size < hdr) memmove(tp->header, tp->data, hdr); @@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) // context descriptor TSE is not set, while data descriptor TSE is set DBGOUT(TXERR, "TCP segmentaion Error\n"); } else { + split_size = MIN(sizeof(tp->data) - tp->size, split_size); cpu_physical_memory_read(addr, tp->data + tp->size, split_size); tp->size += split_size; } _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |