[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 51/53] ide: Check array bounds before writing to io
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) |
|
Date: |
Thu, 30 Jul 2015 06:33:06 -0500 |
From: Kevin Wolf <address@hidden>
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
Signed-off-by: Michael Roth <address@hidden>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index a895fd8..17153f5 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr,
uint32_t val)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr,
uint32_t val)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
--
1.9.1
- [Qemu-stable] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks, (continued)
- [Qemu-stable] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 46/53] virtio-net: unbreak any layout, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 47/53] vfio/pci: Fix bootindex, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 04/53] nbd/trivial: fix type cast for ioctl, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154),
Michael Roth <=
- [Qemu-stable] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 07/53] qcow2: Flush pending discards before allocating cluster, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 08/53] usb: fix usb-net segfault, Michael Roth, 2015/07/30