diff options
author | Petr Matousek <pmatouse@redhat.com> | 2015-06-17 12:46:11 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2015-06-17 16:03:47 +0200 |
commit | d4862a87e31a51de9eb260f25c9e99a75efe3235 (patch) | |
tree | 94c601e5faf63509c6d9f43f98db955566d9033b /ioport.c | |
parent | 9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8 (diff) | |
download | qemu-d4862a87e31a51de9eb260f25c9e99a75efe3235.zip qemu-d4862a87e31a51de9eb260f25c9e99a75efe3235.tar.gz qemu-d4862a87e31a51de9eb260f25c9e99a75efe3235.tar.bz2 |
i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.
Fix this by ignoring read from the Mode/Command register.
This is CVE-2015-3214.
Reported-by: Matt Tait <matttait@google.com>
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
Cc: qemu-stable@nongnu.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'ioport.c')
0 files changed, 0 insertions, 0 deletions