diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2015-07-27 13:10:00 +0100 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2015-07-27 13:10:00 +0100 |
commit | e40db4c6d391419c0039fe274c74df32a6ca1a28 (patch) | |
tree | efca83e551a1e5af9b2fa90b87ccfb50e0f85477 | |
parent | f793d97e454a56d17e404004867985622ca1a63b (diff) | |
parent | cb72cba83021fa42719e73a5249c12096a4d1cfc (diff) | |
download | qemu-e40db4c6d391419c0039fe274c74df32a6ca1a28.zip qemu-e40db4c6d391419c0039fe274c74df32a6ca1a28.tar.gz qemu-e40db4c6d391419c0039fe274c74df32a6ca1a28.tar.bz2 |
Merge remote-tracking branch 'remotes/jnsnow/tags/cve-2015-5154-pull-request' into staging
# gpg: Signature made Mon Jul 27 13:01:10 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/cve-2015-5154-pull-request:
ide: Clear DRQ after handling all expected accesses
ide/atapi: Fix START STOP UNIT command completion
ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r-- | hw/ide/atapi.c | 1 | ||||
-rw-r--r-- | hw/ide/core.c | 32 |
2 files changed, 29 insertions, 4 deletions
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c index 950e311..79dd167 100644 --- a/hw/ide/atapi.c +++ b/hw/ide/atapi.c @@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) if (pwrcnd) { /* eject/load only happens for power condition == 0 */ + ide_atapi_cmd_ok(s); return; } diff --git a/hw/ide/core.c b/hw/ide/core.c index 122e955..50449ca 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -2021,11 +2021,17 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) } p = s->data_ptr; + if (p + 2 > s->data_end) { + return; + } + *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readw(void *opaque, uint32_t addr) @@ -2042,11 +2048,17 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) } p = s->data_ptr; + if (p + 2 > s->data_end) { + return 0; + } + ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } @@ -2063,11 +2075,17 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) } p = s->data_ptr; + if (p + 4 > s->data_end) { + return; + } + *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readl(void *opaque, uint32_t addr) @@ -2084,11 +2102,17 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) } p = s->data_ptr; + if (p + 4 > s->data_end) { + return 0; + } + ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } |