[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-4.4-testing] ide: Clear DRQ after handling all expected accesses



commit 30c002bffcd6287a7d5bb4e2c691b101c0937013
Author:     Kevin Wolf <kwolf@xxxxxxxxxx>
AuthorDate: Wed Jun 3 14:41:27 2015 +0200
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Wed Jul 29 16:33:53 2015 +0100

    ide: Clear DRQ after handling all expected accesses
    
    This is additional hardening against an end_transfer_func that fails to
    clear the DRQ status bit. The bit must be unset as soon as the PIO
    transfer has completed, so it's better to do this in a central place
    instead of duplicating the code in all commands (and forgetting it in
    some).
    
    [ This is XSA-138 / CVE-2015-5154. ]
    
    Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
    (cherry picked from commit 7f057440b31da38196e3398fd1b618fc36ad97d6)
---
 hw/ide.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/hw/ide.c b/hw/ide.c
index 211ec88..7b84d1b 100644
--- a/hw/ide.c
+++ b/hw/ide.c
@@ -3009,8 +3009,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 static uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -3032,8 +3034,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t 
addr)
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
@@ -3055,8 +3059,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 static uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -3078,8 +3084,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t 
addr)
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
--
generated by git-patchbot for /home/xen/git/qemu-xen-4.4-testing.git

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.