Mailinglist Archive: opensuse-commit (1737 mails)

[root@xxxxxxxxxxxxxxx (h_root)]

Hello community,

here is the log from the commit of package qemu for openSUSE:11.4
checked in at Tue Feb 7 17:24:27 CET 2012.



--------
--- old-versions/11.4/all/qemu/qemu.changes     2011-02-21 11:48:22.000000000 
+0100
+++ 11.4/qemu/qemu.changes      2012-02-06 20:54:17.000000000 +0100
@@ -1,0 +2,5 @@
+Mon Feb  6 19:31:20 UTC 2012 - brogers@xxxxxxxx
+
+- avoid buffer overflow in e1000 device emulation (bnc#740165)
+
+-------------------------------------------------------------------

Package does not exist at destination yet. Using Fallback 
old-versions/11.4/all/qemu
Destination is old-versions/11.4/UPDATES/all/qemu
calling whatdependson for 11.4-i586


New:
----
  0018-e1000-check-for-overflow-whenever-issuing-PCI-dma-reads.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ qemu.spec ++++++
--- /var/tmp/diff_new_pack.S4uBhx/_old  2012-02-07 17:23:59.000000000 +0100
+++ /var/tmp/diff_new_pack.S4uBhx/_new  2012-02-07 17:23:59.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package qemu
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,17 +15,27 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-# norootforbuild
 
 
 Name:           qemu
-BuildRequires:  SDL-devel bison bluez-devel curl-devel cyrus-sasl-devel 
e2fsprogs-devel libaio libaio-devel libgnutls-devel libpcap-devel ncurses-devel 
zlib-devel-static
+BuildRequires:  SDL-devel
+BuildRequires:  bison
+BuildRequires:  bluez-devel
+BuildRequires:  curl-devel
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  e2fsprogs-devel
+BuildRequires:  libaio
+BuildRequires:  libaio-devel
+BuildRequires:  libgnutls-devel
+BuildRequires:  libpcap-devel
+BuildRequires:  ncurses-devel
+BuildRequires:  zlib-devel-static
 Url:            http://fabrice.bellard.free.fr/qemu/
-License:        BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+ ; MIT License (or 
similar)
-Group:          System/Emulators/PC
 Summary:        Universal CPU emulator
+License:        BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+ ; MIT
+Group:          System/Emulators/PC
 Version:        0.14.0_rc1
-Release:        1.<RELEASE3>
+Release:        1.<RELEASE6>
 Source:         %name-0.14.0-rc1.tar.bz2
 Patch1:         0001-qemu-0.7.0-amd64.patch
 Patch2:         0002-qemu-0.9.0.cvs-binfmt.patch
@@ -44,6 +54,7 @@
 Patch15:        0015-S-390-support.patch
 Patch16:        0016-fix-mipsn32-linux-user-builds.patch
 Patch17:        0017-S-390-build-fix.patch
+Patch18:        
0018-e1000-check-for-overflow-whenever-issuing-PCI-dma-reads.patch
 # this is to make lint happy
 Source300:      rpmlintrc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -85,6 +96,7 @@
 %patch17 -p1
 %endif
 %patch16 -p1
+%patch18 -p1
 
 %build
 # build QEMU

++++++ 0018-e1000-check-for-overflow-whenever-issuing-PCI-dma-reads.patch ++++++
> From 7fff7710abc9893d8dce5dbad1e7093caf521132 Mon Sep 17 00:00:00 2001
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Wed, 4 Jan 2012 14:50:45 -0600
Subject: e1000: check for overflow whenever issuing PCI dma reads

Reported-by: Nicolae Mogoreanu <mogo@xxxxxxxxxx>
Signed-off-by: Anthony Liguori <aliguori@xxxxxxxxxx>
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Index: qemu-kvm-0.12.5/hw/e1000.c
===================================================================
--- qemu-kvm-0.12.5.orig/hw/e1000.c
+++ qemu-kvm-0.12.5/hw/e1000.c
@@ -456,6 +456,7 @@ process_tx_desc(E1000State *s, struct e1
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -471,6 +472,7 @@ process_tx_desc(E1000State *s, struct e1
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
continue with "q"...



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx