From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
Date: Thu, 30 Jul 2015 06:33:06 -0500 [thread overview]
Message-ID: <1438255988-10418-52-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1438255988-10418-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Kevin Wolf <kwolf@redhat.com>
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index a895fd8..17153f5 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
--
1.9.1
next prev parent reply other threads:[~2015-07-30 11:36 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 11:32 [Qemu-devel] Patch Round-up for stable 2.3.1, freeze on 2015-08-06 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 01/53] bt-sdp: fix broken uuids power-of-2 calculation Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 02/53] block/iscsi: do not forget to logout from target Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 03/53] Strip brackets from vnc host Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 04/53] nbd/trivial: fix type cast for ioctl Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 07/53] qcow2: Flush pending discards before allocating cluster Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 08/53] usb: fix usb-net segfault Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 09/53] virtio-net: fix the upper bound when trying to delete queues Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 10/53] target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 11/53] fdc: force the fifo access to be in bounds of the allocated buffer Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 12/53] Revert "block: Fix unaligned zero write" Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 13/53] block: Fix NULL deference for unaligned write if qiov is NULL Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 14/53] qemu-iotests: Test unaligned sub-block zero write Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 15/53] hw/acpi/aml-build: Fix memory leak Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 16/53] qga/commands-posix: Fix bug in guest-fstrim Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 17/53] kbd: add brazil kbd keys to qemu Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 18/53] kbd: add brazil kbd keys to x11 evdev map Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 19/53] qcow2: Set MIN_L2_CACHE_SIZE to 2 Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 20/53] iotests: qcow2 COW with minimal L2 cache size Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 21/53] vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 22/53] vmdk: Use vmdk_find_index_in_cluster everywhere Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 23/53] sdl2: fix crash in handle_windowevent() when restoring the screen size Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 24/53] spice-display: fix segfault in qemu_spice_create_update Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 25/53] i8254: fix out-of-bounds memory access in pit_ioport_read() Michael Roth
2015-08-03 8:40 ` [Qemu-devel] 答复: " lidonglin
2015-08-03 11:46 ` Paolo Bonzini
2015-07-30 11:32 ` [Qemu-devel] [PATCH 26/53] hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf() Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 27/53] vhost: correctly pass error to caller in vhost_dev_enable_notifiers() Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 28/53] virtio-ccw: complete handling of guest-initiated resets Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 29/53] block: Add bdrv_get_block_status_above Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 30/53] qmp: Add optional bool "unmap" to drive-mirror Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 31/53] mirror: Do zero write on target if sectors not allocated Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 32/53] block: Fix dirty bitmap in bdrv_co_discard Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 33/53] qemu-iotests: Make block job methods common Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 34/53] qemu-iotests: Add test case for mirror with unmap Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 35/53] iotests: Use event_wait in wait_ready Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 36/53] iotests: add QMP event waiting queue Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 37/53] block/nfs: limit maximum readahead size to 1MB Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 38/53] s390x/ipl: Fix boot if no bootindex was specified Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 39/53] spapr_vty: lookup should only return valid VTY objects Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 43/53] mips/kvm: Fix Big endian 32-bit register access Michael Roth
2015-07-30 11:32 ` [Qemu-devel] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 46/53] virtio-net: unbreak any layout Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 47/53] vfio/pci: Fix bootindex Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000 Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc Michael Roth
2015-07-30 11:33 ` Michael Roth [this message]
2015-07-30 11:33 ` [Qemu-devel] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion Michael Roth
2015-07-30 11:33 ` [Qemu-devel] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses Michael Roth
2015-08-04 17:41 ` [Qemu-devel] Patch Round-up for stable 2.3.1, freeze on 2015-08-06 Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438255988-10418-52-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).