]>
Commit | Line | Data |
---|---|---|
f0aafe84 ER |
1 | From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 |
2 | From: Petr Matousek <pmatouse@redhat.com> | |
3 | Date: Wed, 6 May 2015 09:48:59 +0200 | |
4 | Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer | |
5 | ||
6 | During processing of certain commands such as FD_CMD_READ_ID and | |
7 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | |
8 | get out of bounds leading to memory corruption with values coming | |
9 | from the guest. | |
10 | ||
11 | Fix this by making sure that the index is always bounded by the | |
12 | allocated memory. | |
13 | ||
14 | This is CVE-2015-3456. | |
15 | ||
16 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | |
17 | Reviewed-by: John Snow <jsnow@redhat.com> | |
18 | Signed-off-by: John Snow <jsnow@redhat.com> | |
19 | --- | |
20 | hw/block/fdc.c | 17 +++++++++++------ | |
21 | 1 files changed, 11 insertions(+), 6 deletions(-) | |
22 | ||
23 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | |
24 | index f72a392..d8a8edd 100644 | |
25 | --- a/hw/block/fdc.c | |
26 | +++ b/hw/block/fdc.c | |
27 | @@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | |
28 | { | |
29 | FDrive *cur_drv; | |
30 | uint32_t retval = 0; | |
31 | - int pos; | |
32 | + uint32_t pos; | |
33 | ||
34 | cur_drv = get_cur_drv(fdctrl); | |
35 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | |
36 | @@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | |
37 | return 0; | |
38 | } | |
39 | pos = fdctrl->data_pos; | |
40 | + pos %= FD_SECTOR_LEN; | |
41 | if (fdctrl->msr & FD_MSR_NONDMA) { | |
42 | - pos %= FD_SECTOR_LEN; | |
43 | if (pos == 0) { | |
44 | if (fdctrl->data_pos != 0) | |
45 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | |
46 | @@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | |
47 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | |
48 | { | |
49 | FDrive *cur_drv = get_cur_drv(fdctrl); | |
50 | + uint32_t pos; | |
51 | ||
52 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | |
53 | + pos = fdctrl->data_pos - 1; | |
54 | + pos %= FD_SECTOR_LEN; | |
55 | + if (fdctrl->fifo[pos] & 0x80) { | |
56 | /* Command parameters done */ | |
57 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | |
58 | + if (fdctrl->fifo[pos] & 0x40) { | |
59 | fdctrl->fifo[0] = fdctrl->fifo[1]; | |
60 | fdctrl->fifo[2] = 0; | |
61 | fdctrl->fifo[3] = 0; | |
62 | @@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; | |
63 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | |
64 | { | |
65 | FDrive *cur_drv; | |
66 | - int pos; | |
67 | + uint32_t pos; | |
68 | ||
69 | /* Reset mode */ | |
70 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | |
71 | @@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | |
72 | } | |
73 | ||
74 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | |
75 | - fdctrl->fifo[fdctrl->data_pos++] = value; | |
76 | + pos = fdctrl->data_pos++; | |
77 | + pos %= FD_SECTOR_LEN; | |
78 | + fdctrl->fifo[pos] = value; | |
79 | if (fdctrl->data_pos == fdctrl->data_len) { | |
80 | /* We now have all parameters | |
81 | * and will be able to treat the command | |
82 | -- | |
83 | 1.7.0.4 | |
84 |