git.ipfire.org Git - thirdparty/qemu.git/commit

author	Kevin Wolf <kwolf@redhat.com>
	Mon, 27 Jul 2015 03:42:53 +0000 (23:42 -0400)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 30 Jul 2015 03:19:29 +0000 (22:19 -0500)
commit	9634e45e0b2bd4906778efdfb4b38b6fa042ebec
tree	67c2c512144b2933b600d8cbc321584b18d0f837	tree \| snapshot
parent	0dc545e97799d07267854e60ab57b48939edf0e8	commit \| diff

ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.

One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.

This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>