[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PULL 1/3] ide: Check array bounds before writing to io_bu
From: |
John Snow |
Subject: |
[Qemu-stable] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) |
Date: |
Mon, 27 Jul 2015 08:01:41 -0400 |
From: Kevin Wolf <address@hidden>
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 122e955..44fcc23 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr,
uint32_t val)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr,
uint32_t val)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
--
2.1.0
- [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, John Snow, 2015/07/27
- [Qemu-stable] [PULL 3/3] ide: Clear DRQ after handling all expected accesses, John Snow, 2015/07/27
- [Qemu-stable] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion, John Snow, 2015/07/27
- [Qemu-stable] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154),
John Snow <=
- Re: [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, Stefan Priebe - Profihost AG, 2015/07/27
- Re: [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, John Snow, 2015/07/27
- Re: [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, John Snow, 2015/07/27
- Re: [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, Stefan Priebe - Profihost AG, 2015/07/27
- Re: [Qemu-stable] [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches, Kevin Wolf, 2015/07/27
- Re: [Qemu-stable] [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches, Peter Lieven, 2015/07/27
- Re: [Qemu-stable] [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches, Kevin Wolf, 2015/07/27
- Re: [Qemu-stable] [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches, Peter Lieven, 2015/07/27
Re: [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches, Peter Maydell, 2015/07/27