File qemu-security-etch1.diff of Package xen
Index: xen-3.3.1-testing/tools/ioemu-remote/block.c
===================================================================
--- xen-3.3.1-testing.orig/tools/ioemu-remote/block.c
+++ xen-3.3.1-testing/tools/ioemu-remote/block.c
@@ -630,6 +630,9 @@ int bdrv_write(BlockDriverState *bs, int
return 0;
}
} else {
+ unsigned int ns = sector_num * 512;
+ if (ns < 0)
+ return -1;
return drv->bdrv_write(bs, sector_num, buf, nb_sectors);
}
}
Index: xen-3.3.1-testing/tools/ioemu-remote/hw/ne2000.c
===================================================================
--- xen-3.3.1-testing.orig/tools/ioemu-remote/hw/ne2000.c
+++ xen-3.3.1-testing/tools/ioemu-remote/hw/ne2000.c
@@ -218,7 +218,7 @@ static int ne2000_can_receive(void *opaq
NE2000State *s = opaque;
if (s->cmd & E8390_STOP)
- return 1;
+ return 0;
return !ne2000_buffer_full(s);
}
Index: xen-3.3.1-testing/tools/ioemu-remote/hw/pc.c
===================================================================
--- xen-3.3.1-testing.orig/tools/ioemu-remote/hw/pc.c
+++ xen-3.3.1-testing/tools/ioemu-remote/hw/pc.c
@@ -387,7 +387,8 @@ static void bochs_bios_write(void *opaqu
case 0x400:
case 0x401:
fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
- exit(1);
+ /* according to documentation, these can be safely ignored */
+ break;
case 0x402:
case 0x403:
#ifdef DEBUG_BIOS
@@ -410,8 +411,9 @@ static void bochs_bios_write(void *opaqu
/* LGPL'ed VGA BIOS messages */
case 0x501:
case 0x502:
+ /* according to documentation, these can be safely ignored */
fprintf(stderr, "VGA BIOS panic, line %d\n", val);
- exit(1);
+ break;
case 0x500:
case 0x503:
#ifdef DEBUG_BIOS
Index: xen-3.3.1-testing/tools/ioemu-remote/target-i386/translate.c
===================================================================
--- xen-3.3.1-testing.orig/tools/ioemu-remote/target-i386/translate.c
+++ xen-3.3.1-testing/tools/ioemu-remote/target-i386/translate.c
@@ -5661,6 +5661,7 @@ static target_ulong disas_insn(DisasCont
gen_jmp_im(pc_start - s->cs_base);
gen_op_into(s->pc - pc_start);
break;
+#ifdef WANT_ICEBP
case 0xf1: /* icebp (undocumented, exits to external debugger) */
if (gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP))
break;
@@ -5672,6 +5673,7 @@ static target_ulong disas_insn(DisasCont
cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
#endif
break;
+#endif /* icebp */
case 0xfa: /* cli */
if (!s->vm86) {
if (s->cpl <= s->iopl) {
Index: xen-3.3.1-testing/tools/ioemu-remote/vl.c
===================================================================
--- xen-3.3.1-testing.orig/tools/ioemu-remote/vl.c
+++ xen-3.3.1-testing/tools/ioemu-remote/vl.c
@@ -4380,8 +4380,8 @@ typedef struct NetSocketState {
VLANClientState *vc;
int fd;
int state; /* 0 = getting length, 1 = getting data */
- int index;
- int packet_len;
+ unsigned int index;
+ unsigned int packet_len;
uint8_t buf[4096];
struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
} NetSocketState;
@@ -4412,7 +4412,8 @@ static void net_socket_receive_dgram(voi
static void net_socket_send(void *opaque)
{
NetSocketState *s = opaque;
- int l, size, err;
+ int size, err;
+ unsigned l;
uint8_t buf1[4096];
const uint8_t *buf;
@@ -4451,7 +4452,15 @@ static void net_socket_send(void *opaque
l = s->packet_len - s->index;
if (l > size)
l = size;
- memcpy(s->buf + s->index, buf, l);
+ if (s->index + l <= sizeof(s->buf)) {
+ memcpy(s->buf + s->index, buf, l);
+ } else {
+ fprintf(stderr, "serious error: oversized packet received,"
+ "connection terminated.\n");
+ s->state = 0;
+ goto eoc;
+ }
+
s->index += l;
buf += l;
size -= l;
