xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-24 03:59:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d2ff858545
xemu/hw
History
Kevin Wolf d2ff858545 ide: Check array bounds before writing to io_buffer (CVE-2015-5154) 
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.

One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.

This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
2015-07-26 23:42:53 -04:00
..
9pfs qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
acpi ich9: fix skipped vmstate_memhp_state subsection 2015-07-20 14:19:40 +03:00
alpha hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
arm musicpal: Drop eth_can_receive 2015-07-20 17:47:24 +01:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block nvme: properly report volatile write caches 2015-07-14 15:55:19 +02:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char spapr-vty: Use TYPE_ definition instead of hardcoding 2015-07-07 17:44:53 +02:00
core pc,virtio: fixes for 2.4 2015-07-13 13:35:51 +01:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display * qemu-char fixes 2015-07-24 13:07:10 +01:00
dma Include qapi/qmp/qerror.h exactly where needed 2015-06-22 18:20:41 +02:00
gpio pl061: fix wrong calculation of GPIOMIS register 2015-06-02 14:56:25 +01:00
i2c ACPI: split CONFIG_ACPI into 4 pieces 2015-05-29 11:28:59 +01:00
i386 pc,virtio: fixes for 2.4 2015-07-13 13:35:51 +01:00
ide ide: Check array bounds before writing to io_buffer (CVE-2015-5154) 2015-07-26 23:42:53 -04:00
input hid: clarify hid_keyboard_process_keycode 2015-07-17 08:44:41 +02:00
intc xics_kvm: Don't enable KVM_CAP_IRQ_XICS if already enabled 2015-07-07 17:44:52 +02:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa ich9: implement strap SPKR pin logic 2015-07-08 10:09:55 +03:00
lm32 hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
m68k m68k: implement more ColdFire 5208 interrupt controller functionality 2015-06-22 14:43:25 +01:00
mem numa,pc-dimm: Store pc-dimm memory information in numa_info 2015-07-03 17:47:58 -03:00
microblaze microblaze: boot: Use cpu_set_pc() 2015-07-09 15:20:40 +02:00
mips target-mips: add Unified Hosting Interface (UHI) support 2015-06-26 09:08:50 +01:00
misc macio: remove nonexistent interrupt on pin 1 2015-07-07 17:44:49 +02:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net lan9118: Drop lan9118_can_receive 2015-07-20 17:47:24 +01:00
nvram spapr: Merge sPAPREnvironment into sPAPRMachineState 2015-07-07 17:44:50 +02:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci pci_add_capability: remove duplicate comments 2015-07-20 14:19:41 +03:00
pci-bridge hw/pci-bridge: format special OFW unit address for PXB host 2015-06-23 22:58:36 +02:00
pci-host piix: piix3 QOMify 2015-06-23 19:57:28 +03:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc timer: rename NSEC_PER_SEC due to Mac OS X header clash 2015-07-20 17:01:00 +01:00
s390x s390/virtio-ccw: Fix migration 2015-07-14 19:10:03 +02:00
scsi scsi: Handle no media case for scsi_get_configuration 2015-07-24 13:57:45 +02:00
sd hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps 2015-06-15 18:06:09 +01:00
sh4 sh4/r2d: convert to new MMIO accessor style 2015-06-12 12:02:48 +02:00
sparc fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc 2015-06-10 08:00:37 +02:00
sparc64 fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc 2015-06-10 08:00:37 +02:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer timer: rename NSEC_PER_SEC due to Mac OS X header clash 2015-07-20 17:01:00 +01:00
tpm qerror: Move #include out of qerror.h 2015-06-22 18:20:40 +02:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
usb timer: rename NSEC_PER_SEC due to Mac OS X header clash 2015-07-20 17:01:00 +01:00
vfio vfio/pci: Fix bootindex 2015-07-22 14:56:01 -06:00
virtio virtio, vhost, pc fixes for 2.4 2015-07-20 13:25:28 +01:00
watchdog watchdog/diag288: correctly register for system reset requests 2015-07-14 19:10:03 +02:00
xen trivial patches for 2015-06-23 2015-06-23 18:25:55 +01:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00