* [Qemu-devel] [PULL 0/1] Ide cve patches
@ 2015-05-13 12:00 John Snow
2015-05-13 12:00 ` [Qemu-devel] [PULL 1/1] fdc: force the fifo access to be in bounds of the allocated buffer John Snow
2015-05-13 15:05 ` [Qemu-devel] [PULL 0/1] Ide cve patches Peter Maydell
0 siblings, 2 replies; 3+ messages in thread
From: John Snow @ 2015-05-13 12:00 UTC (permalink / raw)
To: qemu-devel; +Cc: peter.maydell, jsnow
The following changes since commit 968bb75c348a401b85e08d5eb1887a3e6c3185f5:
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20150512' into staging (2015-05-12 12:11:32 +0100)
are available in the git repository at:
https://github.com/jnsnow/qemu.git tags/ide-cve-pull-request
for you to fetch changes up to e907746266721f305d67bc0718795fedee2e824c:
fdc: force the fifo access to be in bounds of the allocated buffer (2015-05-12 18:52:57 -0400)
----------------------------------------------------------------
----------------------------------------------------------------
Petr Matousek (1):
fdc: force the fifo access to be in bounds of the allocated buffer
hw/block/fdc.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--
2.1.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Qemu-devel] [PULL 1/1] fdc: force the fifo access to be in bounds of the allocated buffer
2015-05-13 12:00 [Qemu-devel] [PULL 0/1] Ide cve patches John Snow
@ 2015-05-13 12:00 ` John Snow
2015-05-13 15:05 ` [Qemu-devel] [PULL 0/1] Ide cve patches Peter Maydell
1 sibling, 0 replies; 3+ messages in thread
From: John Snow @ 2015-05-13 12:00 UTC (permalink / raw)
To: qemu-devel; +Cc: Petr Matousek, peter.maydell, jsnow
From: Petr Matousek <pmatouse@redhat.com>
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
---
hw/block/fdc.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index f72a392..d8a8edd 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command
--
2.1.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PULL 0/1] Ide cve patches
2015-05-13 12:00 [Qemu-devel] [PULL 0/1] Ide cve patches John Snow
2015-05-13 12:00 ` [Qemu-devel] [PULL 1/1] fdc: force the fifo access to be in bounds of the allocated buffer John Snow
@ 2015-05-13 15:05 ` Peter Maydell
1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2015-05-13 15:05 UTC (permalink / raw)
To: John Snow; +Cc: QEMU Developers
On 13 May 2015 at 13:00, John Snow <jsnow@redhat.com> wrote:
> The following changes since commit 968bb75c348a401b85e08d5eb1887a3e6c3185f5:
>
> Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20150512' into staging (2015-05-12 12:11:32 +0100)
>
> are available in the git repository at:
>
> https://github.com/jnsnow/qemu.git tags/ide-cve-pull-request
>
> for you to fetch changes up to e907746266721f305d67bc0718795fedee2e824c:
>
> fdc: force the fifo access to be in bounds of the allocated buffer (2015-05-12 18:52:57 -0400)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
>
> Petr Matousek (1):
> fdc: force the fifo access to be in bounds of the allocated buffer
>
> hw/block/fdc.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
Applied, thanks. (Next time round adding the Cc: qemu-stable@nongnu.org
line in the commit message would be good too.)
-- PMM
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-13 15:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-13 12:00 [Qemu-devel] [PULL 0/1] Ide cve patches John Snow
2015-05-13 12:00 ` [Qemu-devel] [PULL 1/1] fdc: force the fifo access to be in bounds of the allocated buffer John Snow
2015-05-13 15:05 ` [Qemu-devel] [PULL 0/1] Ide cve patches Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.