xemu/hw
Petr Matousek d4862a87e3 i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.

Fix this by ignoring read from the Mode/Command register.

This is CVE-2015-3214.

Reported-by: Matt Tait <matttait@google.com>
Fixes: 0505bcdec8
Cc: qemu-stable@nongnu.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-06-17 16:03:47 +02:00
..
9pfs virtio-9p-device: move qdev properties into virtio-9p-device.c 2015-06-10 18:15:34 +02:00
acpi migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
alpha hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
arm hw/arm/virt-acpi-build: Add SPCR table 2015-06-15 18:06:11 +01:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
core nmi: Implement inject_nmi() for non-monitor context use 2015-06-11 17:45:50 +02:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display virtio-gpu: pci support bits and virtio-vga. 2015-06-16 10:35:43 +01:00
dma dma/rc4030: convert to QOM 2015-06-11 10:13:29 +01:00
gpio pl061: fix wrong calculation of GPIOMIS register 2015-06-02 14:56:25 +01:00
i2c ACPI: split CONFIG_ACPI into 4 pieces 2015-05-29 11:28:59 +01:00
i386 Disable section footers on older machine types 2015-06-12 06:54:01 +02:00
ide migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
input migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
intc arm_gic: gic_update should always update all cores 2015-06-15 18:06:07 +01:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa virtio-gpu: pci support bits and virtio-vga. 2015-06-16 10:35:43 +01:00
lm32 hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
m68k m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:35:24 +01:00
mem pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range size 2015-06-04 11:20:34 +02:00
microblaze microblaze: fix memory leak 2015-04-30 16:06:18 +03:00
mips net/dp8393x: add PROM to store MAC address 2015-06-11 10:13:30 +01:00
misc macio: Convert to realize() 2015-06-03 23:56:49 +02:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net -----BEGIN PGP SIGNATURE----- 2015-06-12 15:39:05 +01:00
nvram fw_cfg: prohibit insertion of duplicate fw_cfg file names 2015-06-10 08:00:37 +02:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci virtio-vga: add '-vga virtio' support 2015-06-12 10:13:23 +02:00
pci-bridge hw/pxb: add numa_node parameter 2015-06-03 18:19:18 +02:00
pci-host migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc 2015-06-10 08:00:37 +02:00
s390x pc, acpi, virtio 2015-06-11 15:33:38 +01:00
scsi migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
sd hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps 2015-06-15 18:06:09 +01:00
sh4 sh4/r2d: convert to new MMIO accessor style 2015-06-12 12:02:48 +02:00
sparc fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc 2015-06-10 08:00:37 +02:00
sparc64 fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc 2015-06-10 08:00:37 +02:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer i8254: fix out-of-bounds memory access in pit_ioport_read() 2015-06-17 16:03:47 +02:00
tpm TPM2 ACPI table support 2015-06-01 14:18:54 +02:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq 2015-06-03 14:21:24 +03:00
usb migration: Use normal VMStateDescriptions for Subsections 2015-06-12 06:53:57 +02:00
vfio hw/vfio/platform: replace g_malloc0_n by g_new0 2015-06-11 14:22:57 +01:00
virtio virtio-gpu: pci support bits and virtio-vga. 2015-06-16 10:35:43 +01:00
watchdog watchdog: Add new Virtual Watchdog action INJECT-NMI 2015-06-11 17:45:50 +02:00
xen xen_backend: Remove unused error handling of qemu_set_fd_handler 2015-06-12 13:26:21 +01:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00