From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 From: Kevin Wolf Date: Wed, 3 Jun 2015 14:13:31 +0200 Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) If the end_transfer_func of a command is called because enough data has been read or written for the current PIO transfer, and it fails to correctly call the command completion functions, the DRQ bit in the status register and s->end_transfer_func may remain set. This allows the guest to access further bytes in s->io_buffer beyond s->data_end, and eventually overflowing the io_buffer. One case where this currently happens is emulation of the ATAPI command START STOP UNIT. This patch fixes the problem by adding explicit array bounds checks before accessing the buffer instead of relying on end_transfer_func to function correctly. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf --- hw/ide/core.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hw/ide/core.c b/hw/ide/core.c index 122e955..44fcc23 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) } p = s->data_ptr; + if (p + 2 > s->data_end) { + return; + } + *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; @@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) } p = s->data_ptr; + if (p + 2 > s->data_end) { + return 0; + } + ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; @@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) } p = s->data_ptr; + if (p + 4 > s->data_end) { + return; + } + *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; @@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) } p = s->data_ptr; + if (p + 4 > s->data_end) { + return 0; + } + ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; -- 1.8.3.1