[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-4.3-testing] ide: Check array bounds before writing to io_buffer (CVE-2015-5154)



commit 70add61d0c6f7c79b74ed016a0531e40f0cc00b3
Author:     Kevin Wolf <kwolf@xxxxxxxxxx>
AuthorDate: Wed Jun 3 14:13:31 2015 +0200
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Wed Jul 29 16:34:34 2015 +0100

    ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
    
    If the end_transfer_func of a command is called because enough data has
    been read or written for the current PIO transfer, and it fails to
    correctly call the command completion functions, the DRQ bit in the
    status register and s->end_transfer_func may remain set. This allows the
    guest to access further bytes in s->io_buffer beyond s->data_end, and
    eventually overflowing the io_buffer.
    
    One case where this currently happens is emulation of the ATAPI command
    START STOP UNIT.
    
    This patch fixes the problem by adding explicit array bounds checks
    before accessing the buffer instead of relying on end_transfer_func to
    function correctly.
    
    [ This is XSA-138 / CVE-2015-5154. ]
    
    Cc: qemu-stable@xxxxxxxxxx
    Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
    (cherry picked from commit d18ac5938d38ed9a9d51e380a2baf8343468f65d)
    (cherry picked from commit eb745741f519e6cf60a455bfba62a1acc0b5cfe2)
---
 hw/ide.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/hw/ide.c b/hw/ide.c
index 791666b..211ec88 100644
--- a/hw/ide.c
+++ b/hw/ide.c
@@ -3002,6 +3002,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, 
uint32_t val)
     buffered_pio_write(s, addr, 2);
 
     p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return;
+    }
+
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
@@ -3021,6 +3025,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t 
addr)
     buffered_pio_read(s, addr, 2);
 
     p = s->data_ptr;
+    if (p + 2 > s->data_end) {
+        return 0;
+    }
+
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
@@ -3040,6 +3048,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, 
uint32_t val)
     buffered_pio_write(s, addr, 4);
 
     p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return;
+    }
+
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
@@ -3059,6 +3071,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t 
addr)
     buffered_pio_read(s, addr, 4);
 
     p = s->data_ptr;
+    if (p + 4 > s->data_end) {
+        return 0;
+    }
+
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
--
generated by git-patchbot for /home/xen/git/qemu-xen-4.3-testing.git

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.