Skip to content

Commit

Permalink
Merge remote-tracking branch 'remotes/jnsnow/tags/cve-2015-5154-pull-…
Browse files Browse the repository at this point in the history
…request' into staging

# gpg: Signature made Mon Jul 27 13:01:10 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/cve-2015-5154-pull-request:
  ide: Clear DRQ after handling all expected accesses
  ide/atapi: Fix START STOP UNIT command completion
  ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
  • Loading branch information
pm215 committed Jul 27, 2015
2 parents f793d97 + cb72cba commit e40db4c
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 4 deletions.
1 change: 1 addition & 0 deletions hw/ide/atapi.c
Original file line number Diff line number Diff line change
Expand Up @@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)

if (pwrcnd) {
/* eject/load only happens for power condition == 0 */
ide_atapi_cmd_ok(s);
return;
}

Expand Down
32 changes: 28 additions & 4 deletions hw/ide/core.c
Original file line number Diff line number Diff line change
Expand Up @@ -2021,11 +2021,17 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
}

p = s->data_ptr;
if (p + 2 > s->data_end) {
return;
}

*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
if (p >= s->data_end)
if (p >= s->data_end) {
s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
}
}

uint32_t ide_data_readw(void *opaque, uint32_t addr)
Expand All @@ -2042,11 +2048,17 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}

p = s->data_ptr;
if (p + 2 > s->data_end) {
return 0;
}

ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
if (p >= s->data_end)
if (p >= s->data_end) {
s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
}
return ret;
}

Expand All @@ -2063,11 +2075,17 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
}

p = s->data_ptr;
if (p + 4 > s->data_end) {
return;
}

*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
if (p >= s->data_end)
if (p >= s->data_end) {
s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
}
}

uint32_t ide_data_readl(void *opaque, uint32_t addr)
Expand All @@ -2084,11 +2102,17 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}

p = s->data_ptr;
if (p + 4 > s->data_end) {
return 0;
}

ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
if (p >= s->data_end)
if (p >= s->data_end) {
s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
}
return ret;
}

Expand Down

0 comments on commit e40db4c

Please sign in to comment.