From d4862a87e31a51de9eb260f25c9e99a75efe3235 Mon Sep 17 00:00:00 2001 From: Petr Matousek Date: Wed, 17 Jun 2015 12:46:11 +0200 Subject: i8254: fix out-of-bounds memory access in pit_ioport_read() Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index. Fix this by ignoring read from the Mode/Command register. This is CVE-2015-3214. Reported-by: Matt Tait Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 Cc: qemu-stable@nongnu.org Signed-off-by: Petr Matousek Signed-off-by: Paolo Bonzini --- hw/timer/i8254.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'hw') diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c index 3450c98..9b65a33 100644 --- a/hw/timer/i8254.c +++ b/hw/timer/i8254.c @@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, PITChannelState *s; addr &= 3; + + if (addr == 3) { + /* Mode/Command register is write only, read is ignored */ + return 0; + } + s = &pit->channels[addr]; if (s->status_latched) { s->status_latched = 0; -- cgit v1.1 From ae46e23964ad45d5bc72374040e87d8f52ac2178 Mon Sep 17 00:00:00 2001 From: Paul Donohue Date: Fri, 12 Jun 2015 10:10:14 -0400 Subject: mc146818rtc: Reset the periodic timer on load When loading a VM from a snapshot or migration, clock changes can cause the periodic timer to stall or loop rapidly. qemu-timer has a reset notifier mechanism that is used to avoid timer stalls or loops if the host clock changes while the VM is running when using QEMU_CLOCK_HOST. However, when loading a snapshot or migration, qemu-timer is initialized and fires the reset notifier before mc146818rtc is initialized and has registered its reset handler. In addition, this mechanism isn't used when using QEMU_CLOCK_REALTIME, which might also change when loading a snapshot or migration. To correct that problem, this commit resets the periodic timer after loading from a snapshot or migration if the clock has either jumped backward or has jumped forward by more than the clock jump limit that is used by the reset notifier code in qemu-timer. Signed-off-by: Paul Donohue Message-Id: <20150612141013.GE2749@TopQuark.net> Signed-off-by: Paolo Bonzini --- hw/timer/mc146818rtc.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'hw') diff --git a/hw/timer/mc146818rtc.c b/hw/timer/mc146818rtc.c index 3204825..2e3ffc8 100644 --- a/hw/timer/mc146818rtc.c +++ b/hw/timer/mc146818rtc.c @@ -723,6 +723,12 @@ static int rtc_post_load(void *opaque, int version_id) check_update_timer(s); } + uint64_t now = qemu_clock_get_ns(rtc_clock); + if (now < s->next_periodic_time || + now > (s->next_periodic_time + get_max_clock_jump())) { + periodic_timer_update(s, qemu_clock_get_ns(rtc_clock)); + } + #ifdef TARGET_I386 if (version_id >= 2) { if (s->lost_tick_policy == LOST_TICK_POLICY_SLEW) { -- cgit v1.1