head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q2:1.1.0.6
	pkgsrc-2012Q2-base:1.1
	pkgsrc-2012Q1:1.1.0.4
	pkgsrc-2012Q1-base:1.1
	pkgsrc-2011Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2012.09.12.11.09.33;	author drochner;	state dead;
branches;
next	1.1;

1.1
date	2012.02.03.17.00.25;	author bouyer;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2012.02.03.17.00.25;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2012.02.04.12.42.21;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@update to 4.1.3
also add security patches from upstream

changes:
-fixes for vulnerabilities were integrated
-many bug fixes and improvements, Highlights are:
 -Bug fixes and improvements to the libxl tool stack

approved by maintainer
@
text
@$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $

From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@@us.ibm.com>

(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
 by Ian Campbell.)

Signed-off-by: Ian Campbell <Ian.Campbell@@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index bb3689e..97104ed 100644
--- ioemu-qemu-xen/hw/e1000.c.orig
+++ ioemu-qemu-xen/hw/e1000.c
@@@@ -444,6 +444,8 @@@@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@@@ -459,6 +461,7 @@@@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
-- 
1.7.2.5

@


1.1
log
@Pull up fix from Xen repository, fixing CVE-2012-0029:
Heap-based buffer overflow in the process_tx_desc function in the
e1000 emulation allows the guest to cause a denial of service (QEMU
crash) and possibly execute arbitrary code via crafted legacy mode
packets.

Bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: patch-qemu-phy-devices,v 1.1 2011/05/20 17:09:21 bouyer Exp $
@


1.1.2.1
log
@file patch-qemu-e1000-CVSE-2012-0029 was added on branch pkgsrc-2011Q4 on 2012-02-04 12:42:21 +0000
@
text
@d1 45
@


1.1.2.2
log
@Pullup ticket #3672 - requested by bouyer
sysutils/xentools33: security patch
sysutils/xentools41: security patch

Revisions pulled up:
- sysutils/xentools33/Makefile                                  1.29 via patch
- sysutils/xentools33/distinfo                                  1.27 via patch
- sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029   1.1
- sysutils/xentools41/Makefile                                  1.15 via patch
- sysutils/xentools41/distinfo                                  1.17
- sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029   1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Fri Feb  3 17:00:25 UTC 2012

   Modified Files:
   	pkgsrc/sysutils/xentools33: Makefile distinfo
   	pkgsrc/sysutils/xentools41: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xentools33/patches: patch-qemu-e1000-CVSE-2012-0029
   	pkgsrc/sysutils/xentools41/patches: patch-qemu-e1000-CVSE-2012-0029

   Log Message:
   Pull up fix from Xen repository, fixing CVE-2012-0029:
   Heap-based buffer overflow in the process_tx_desc function in the
   e1000 emulation allows the guest to cause a denial of service (QEMU
   crash) and possibly execute arbitrary code via crafted legacy mode
   packets.

   Bump PKGREVISION
@
text
@a0 45
$NetBSD$

From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@@us.ibm.com>

(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
 by Ian Campbell.)

Signed-off-by: Ian Campbell <Ian.Campbell@@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index bb3689e..97104ed 100644
--- ioemu-qemu-xen/hw/e1000.c.orig
+++ ioemu-qemu-xen/hw/e1000.c
@@@@ -444,6 +444,8 @@@@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@@@ -459,6 +461,7 @@@@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
-- 
1.7.2.5

@