diff options
author | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2021-04-07 20:57:57 +0100 |
---|---|---|
committer | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2021-04-12 22:35:53 +0100 |
commit | fbc6510e3379fa8f8370bf71198f0ce733bf07f9 (patch) | |
tree | 86357c0774a6b922422d4bb91e13d701e75f9d66 /hw/remote | |
parent | fa7505c154d4d00ad89a747be2eda556643ce00e (diff) | |
download | qemu-fbc6510e3379fa8f8370bf71198f0ce733bf07f9.zip qemu-fbc6510e3379fa8f8370bf71198f0ce733bf07f9.tar.gz qemu-fbc6510e3379fa8f8370bf71198f0ce733bf07f9.tar.bz2 |
esp: don't overflow cmdfifo in get_cmd()
If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.
Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk>
Diffstat (limited to 'hw/remote')
0 files changed, 0 insertions, 0 deletions