xenbits.xensource.com Git - qemu-xen-traditional.git/commit

author	Kevin Wolf <kwolf@redhat.com>
	Wed, 3 Jun 2015 12:13:31 +0000 (14:13 +0200)
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>
	Wed, 29 Jul 2015 15:34:34 +0000 (16:34 +0100)
commit	70add61d0c6f7c79b74ed016a0531e40f0cc00b3
tree	063f9701a5702377e63d366c6bb968172c3ce9ed	tree
parent	8d882026216a2b9afe74d4b1ef99433620e0ba0a	commit \| diff

ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.

One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.

This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.

[ This is XSA-138 / CVE-2015-5154. ]

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit d18ac5938d38ed9a9d51e380a2baf8343468f65d)
(cherry picked from commit eb745741f519e6cf60a455bfba62a1acc0b5cfe2)