-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABAgAGBQJVth2GAAoJEH3vgQaq/DkOr7wP/2+c1/DiaQYAn5jx6xICJALq NlgrcWN6xTM76OXFy+hQKpScy0DfEePpMf8YBXvO9swoCz3X8TkJ0Y1Ct6JjX1s4 dRgAD/ExvCxywjNPyvffAKA0t09D3rO1M6az7/xgdtUriiaxXGqBcpdeCbUQ0zKy znQLSatxcY2MOa2BOmlSKnHZdi/LoEeUfQerwcgugw0BFGFxmbWpLDu76Pbgglyx 3Rru30tjihwPhIjVlrNmik27FWl1clkzJ41nafVdqdcrVIeEjaGYFhFxCYuvU6KX QMNO6ngA5ih/OWFSrPoDmruAgoMqGAyfrrZAZbO/HRG8fuA10q7dMAR3ljBgwwBq Urts3pB/auP6X2Uyy9gfWxwzyfzsQLnspB2rY/cPeCuNCWmhZSDpBr5BZ6L9HJzW deXKRA/jzARNjpmeF5N4TG7d5/2gwhPoAdGqm0vOJYVeji/WjkoP1wm2tv7PaVP5 jjcYMBJo5p/yj+pDMtG/mUzHI7YD+bDx1NKvLACKtJqKYYVE16FyZdlh1qGfk34a ewpxjoumkNN1bQuvLdo7uJfmAsYWqKoJevYtuzNHKMWLGIsYTLlpXRlQw0gmlT0M LnlsEw31ipvDdraODn2PHhcA1XbEjUhpFRSpGP8F1uCKa+hF0NNZEOmDsZXo11/4 2kiNpfykt45EPlqlnIXQ =LpBp -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/jnsnow/tags/cve-2015-5154-pull-request' into staging # gpg: Signature made Mon Jul 27 13:01:10 2015 BST using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/cve-2015-5154-pull-request: ide: Clear DRQ after handling all expected accesses ide/atapi: Fix START STOP UNIT command completion ide: Check array bounds before writing to io_buffer (CVE-2015-5154) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-07-27 13:10:00 +01:00 · 2015-07-27 13:10:00 +01:00 · e40db4c6d3
parent f793d97e45 cb72cba830
commit e40db4c6d3
2 changed files with 29 additions and 4 deletions
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)

    if (pwrcnd) {
        /* eject/load only happens for power condition == 0 */
+        ide_atapi_cmd_ok(s);
        return;
    }

--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@ -2021,11 +2021,17 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
    }

    p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return;
+    }
+
    *(uint16_t *)p = le16_to_cpu(val);
    p += 2;
    s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
        s->end_transfer_func(s);
+    }
 }

 uint32_t ide_data_readw(void *opaque, uint32_t addr)
@ -2042,11 +2048,17 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
    }

    p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return 0;
+    }
+
    ret = cpu_to_le16(*(uint16_t *)p);
    p += 2;
    s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
        s->end_transfer_func(s);
+    }
    return ret;
 }

@ -2063,11 +2075,17 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
    }

    p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return;
+    }
+
    *(uint32_t *)p = le32_to_cpu(val);
    p += 4;
    s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
        s->end_transfer_func(s);
+    }
 }

 uint32_t ide_data_readl(void *opaque, uint32_t addr)
@ -2084,11 +2102,17 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
    }

    p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return 0;
+    }
+
    ret = cpu_to_le32(*(uint32_t *)p);
    p += 4;
    s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
        s->end_transfer_func(s);
+    }
    return ret;
 }