1 From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
2 From: Petr Matousek <pmatouse@redhat.com>
3 Date: Wed, 6 May 2015 09:48:59 +0200
4 Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
6 During processing of certain commands such as FD_CMD_READ_ID and
7 FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
8 get out of bounds leading to memory corruption with values coming
11 Fix this by making sure that the index is always bounded by the
14 This is CVE-2015-3456.
16 Signed-off-by: Petr Matousek <pmatouse@redhat.com>
17 Reviewed-by: John Snow <jsnow@redhat.com>
18 Signed-off-by: John Snow <jsnow@redhat.com>
20 hw/block/fdc.c | 17 +++++++++++------
21 1 files changed, 11 insertions(+), 6 deletions(-)
23 diff --git a/hw/block/fdc.c b/hw/block/fdc.c
24 index f72a392..d8a8edd 100644
27 @@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
34 cur_drv = get_cur_drv(fdctrl);
35 fdctrl->dsr &= ~FD_DSR_PWRDOWN;
36 @@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
39 pos = fdctrl->data_pos;
40 + pos %= FD_SECTOR_LEN;
41 if (fdctrl->msr & FD_MSR_NONDMA) {
42 - pos %= FD_SECTOR_LEN;
44 if (fdctrl->data_pos != 0)
45 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
46 @@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
47 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
49 FDrive *cur_drv = get_cur_drv(fdctrl);
52 - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
53 + pos = fdctrl->data_pos - 1;
54 + pos %= FD_SECTOR_LEN;
55 + if (fdctrl->fifo[pos] & 0x80) {
56 /* Command parameters done */
57 - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
58 + if (fdctrl->fifo[pos] & 0x40) {
59 fdctrl->fifo[0] = fdctrl->fifo[1];
62 @@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
63 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
70 if (!(fdctrl->dor & FD_DOR_nRESET)) {
71 @@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
74 FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
75 - fdctrl->fifo[fdctrl->data_pos++] = value;
76 + pos = fdctrl->data_pos++;
77 + pos %= FD_SECTOR_LEN;
78 + fdctrl->fifo[pos] = value;
79 if (fdctrl->data_pos == fdctrl->data_len) {
80 /* We now have all parameters
81 * and will be able to treat the command