From: Michael Contreras <michael@inetric.com>
Date: Mon, 3 Dec 2012 04:11:22 +0000 (-0800)
Subject: e1000: Discard packets that are too long if !SBP and !LPE
X-Git-Tag: xen-4.3.0-rc1~7
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf;p=qemu-xen-4.6-testing.git

e1000: Discard packets that are too long if !SBP and !LPE

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

[ This is a security vulnerability, CVE-2012-6075 / XSA-41. ]
---

diff --git a/hw/e1000.c b/hw/e1000.c
index 97104edaf..f0673f004 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define REG_IOADDR 0x0
 #define REG_IODATA 0x4
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -628,6 +631,13 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
         return;
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return;