Home page logo
/

oss-sec logo oss-sec mailing list archives

Xen Security Advisory 6 (CVE-2012-0029) - HVM e1000, buffer overflow
From: Ian Jackson <Ian.Jackson () eu citrix com>
Date: Thu, 2 Feb 2012 14:57:38 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2012-0029 / XSA-6

            qemu-dm Local Privilege Escalation Vulnerability

ISSUE DESCRIPTION
=================

Heap-based buffer overflow in the process_tx_desc function in the
e1000 emulation allows the guest to cause a denial of service (QEMU
crash) and possibly execute arbitrary code via crafted legacy mode
packets.

Upstream qemu has already released an advisory hence there is no
embargo.

VULNERABLE SYSTEMS
==================

The vulnerability impacts any host running HVM (Fully-Emulated) guests
which are configured with an e1000 NIC (using "model=e1000") in their
VIF configuration. Note that the default emulated NIC is "rtl8139"
which is not vulnerable.

Hosts which run only PV guests or which use the default rtl813939 NIC
are not effected.

MITIGATION
==========

Switching all HVM guests to a different emulated NIC (e.g. rtl8139,
which is the default) or PV network drivers will remove this
vulnerability.

Enabling device model stub domains for such guests will also mitigate
any arbitrary code execution exploit by restricting it to the stub
domain only.

RESOLUTION
==========

This issue is resolved in the following changesets:
  qemu-xen-unstable.git      ebe37b2a3f844bad02dcc30d081f39eda06118f8
  qemu-xen-4.1-testing.git   3cf61880403b4e484539596a95937cc066243388
  qemu-xen-4.0-testing.git   36984c285a765541b04f378bfa84d2c850c167d3

In each case the QEMU_TAG in the corresponding xen.hg repository has
been updated so that a completely fresh build will pick up the fix:
  xen-unstable.hg      24673:fcc071c31e3a3ccc5dfaefd091eedbb608604928
  xen-4.1-testing.hg   23224:cccd6c68e1b9527f556deef760713380801db9b5
  xen-4.0-testing.hg   21563:3feb83eed6bdd515b90aca528c1ebd83dfb7a378
(Currently in http://xenbits.xen.org/staging/xen-*.hg; will be
 in http://xenbits.xen.org/staging/xen*.hg after automated tests.)


PATCH INFORMATION
=================

The patch is 65f82df0d7a71ce1b10cd4c5ab08888d176ac840 in the upstream
qemu.git tree.  A backported version, as has been applied to
qemu-xen-*.git, is attached as cve-2012-0029-qemu-xen-unstable.patch.

$ sha256sum cve-2012-0029-qemu-xen-unstable.patch 
dae528d93e44494ad0d682dc40b19ff8232cff5807ff331bef3d91ca169de9af  cve-2012-0029-qemu-xen-unstable.patch

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPKqLEAAoJEIP+FMlX6CvZoNIIAJIFsDhYfTBS9+06lMm6hX9u
lPJG/Or2d5KhfaQZlBfLG0SRG8wtALsmXY5z6anxFG+NG7uBDb3oOj+gd+7d/gIk
8NXQPgs4/MpoaeSjdxm/+XkBfNSladUy8S47BLvpExtW68WLQ5EEw12jU0hGgZEJ
/pI7in1Ypw3PBAFQM7hHraqV4u0akOes+do/TXHA98P/xE4UG3dsEz+YSWjnxw3C
wd7xibqYNU7/OQmWbnc6CSGo6pEgrg7UsYe+KIs7H83oHrZgQpnDpqzGyAldBFqW
hheFNzCKe7armeMDqxhm3D3ksMjck2yhENb7D9ebJNl/SXle/dLoyOfAOCWEZ1A=
=sC0B
-----END PGP SIGNATURE-----

diff --git a/hw/e1000.c b/hw/e1000.c
index bb3689e..97104ed 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }

  By Date           By Thread  

Current thread:
  • Xen Security Advisory 6 (CVE-2012-0029) - HVM e1000, buffer overflow Ian Jackson (Feb 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault