[Qemu-commits] [qemu/qemu] e90774: fdc: force the fifo access to be in bounds of the ...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: e907746266721f305d67bc0718795fedee2e824c
      
https://github.com/qemu/qemu/commit/e907746266721f305d67bc0718795fedee2e824c
  Author: Petr Matousek <address@hidden>
  Date:   2015-05-12 (Tue, 12 May 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: force the fifo access to be in bounds of the allocated buffer

During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

This is CVE-2015-3456.

Signed-off-by: Petr Matousek <address@hidden>
Reviewed-by: John Snow <address@hidden>
Signed-off-by: John Snow <address@hidden>


  Commit: 4d2d2d8b21779d7becbdffd7cd7983a7ccb55b54
      
https://github.com/qemu/qemu/commit/4d2d2d8b21779d7becbdffd7cd7983a7ccb55b54
  Author: Peter Maydell <address@hidden>
  Date:   2015-05-13 (Wed, 13 May 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into 
staging

# gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <address@hidden>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-cve-pull-request:
  fdc: force the fifo access to be in bounds of the allocated buffer

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/968bb75c348a...4d2d2d8b2177