From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53751)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jsnow@redhat.com>) id 1YsXl5-0006yR-6J
	for qemu-devel@nongnu.org; Wed, 13 May 2015 10:35:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jsnow@redhat.com>) id 1YsXkz-0006gd-DV
	for qemu-devel@nongnu.org; Wed, 13 May 2015 10:35:39 -0400
Message-ID: <5553612D.1080506@redhat.com>
Date: Wed, 13 May 2015 10:35:25 -0400
From: John Snow <jsnow@redhat.com>
MIME-Version: 1.0
References: <1431527602-29889-1-git-send-email-jsnow@redhat.com>
	<1431527602-29889-2-git-send-email-jsnow@redhat.com>
In-Reply-To: <1431527602-29889-2-git-send-email-jsnow@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] fdc: force the fifo access to be in bounds
 of the allocated buffer
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-stable@nongnu.org
Cc: peter.maydell@linaro.org, Petr Matousek <pmatouse@redhat.com>, qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 05/13/2015 10:33 AM, John Snow wrote:
> From: Petr Matousek <pmatouse@redhat.com>
> 
> During processing of certain commands such as FD_CMD_READ_ID and 
> FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get
> out of bounds leading to memory corruption with values coming from
> the guest.
> 
> Fix this by making sure that the index is always bounded by the 
> allocated memory.
> 
> This is CVE-2015-3456.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reviewed-by:
> John Snow <jsnow@redhat.com> Signed-off-by: John Snow
> <jsnow@redhat.com> ---
[snip]

Already sent the pull request (at 08:00 EDT this morning) for
inclusion in the master branch, but this will serve as the formal
patch discussion / and request for inclusion into any stable branches
still being maintained.

Thanks.

- --John Snow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVU2EtAAoJEH3vgQaq/DkO+ogP/1D1W2F4hbqV+CDakrCLJagz
wC/XiGmixY+CUHr8z+OjXLtJLkSj2HprdbY3S1ogeJUOLXHUePYGBBEwjjH/Ed7b
TPYjzfEZlmw5UzMIGOIIZfHtOA5Xzsq0Ipqk5PXOXyprm0aDji9ZMwRTkdTbwuYI
kBps6ajkHNkzxIIRO11aWJjiRo0CfIEFZgLrYRVdtixzfgeEHJRfGJJvOA3VIrwD
5yS2tjgpkrj4C4tO/gdOeOUfmiwh5IjSHPVwgEkTABZxe4FFxEs9oGuReKyZFcq9
/60nqJ689+JxMxoPtPcQDvwf9tSmOWG1RRe3m+NwhY3lLuIhmpIDnjABSvFJhUye
v9gd52jf/mOO557iUh/I8JbdZLc8NPcR8C9JC1zGewYFk7lKEsVUUaAyw1QkrrVa
7GfpjjnXeys8HkBgNNmjtLnq6V15rFA5B8Oc0yyhSRXZimIIkF6C+G8pnv8GdonL
n7Sm1nsFnhVeinK37dSDMHBqKqRKGyJE6HRGniP9xMluycxf9mtNMKpBmPmmTHPd
QjjScqrWQTJd12Hlzsh7HnoNNBQ/nG6Om45/PKsoVWaByc7d7XQ0yw3BI3xLxQMb
yzmstCgAg5K+pbt2MJsPBMJCCOuda2scCSWAWVFAX306sdcV5ZUhr6wpnhlCV1lI
UEjPHAmhLUUqrZDQHuH0
=gUNa
-----END PGP SIGNATURE-----