From: Kevin Wolf Date: Mon, 27 Jul 2015 03:42:53 +0000 (-0400) Subject: ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=25c99f89476080f4e3ba221437916b5a38208e03;p=qemu-xen.git ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). upstream-commit-id: cb72cba83021fa42719e73a5249c12096a4d1cfc Signed-off-by: Kevin Wolf Reviewed-by: John Snow Signed-off-by: Stefano Stabellini --- diff --git a/hw/ide/core.c b/hw/ide/core.c index 44bbef22b4..9ccd50a35a 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -1751,8 +1751,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readw(void *opaque, uint32_t addr) @@ -1776,8 +1778,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } @@ -1801,8 +1805,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readl(void *opaque, uint32_t addr) @@ -1826,8 +1832,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; }