From: Kevin Wolf Date: Wed, 3 Jun 2015 12:41:27 +0000 (+0200) Subject: ide: Clear DRQ after handling all expected accesses X-Git-Tag: xen-4.5.2~1 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=327319a1e9bb79996e8de4df78ccde25e87692e2;p=qemu-xen-4.5-testing.git ide: Clear DRQ after handling all expected accesses This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). [ This is XSA-138 / CVE-2015-5154. ] Signed-off-by: Kevin Wolf (cherry picked from commit 7f057440b31da38196e3398fd1b618fc36ad97d6) --- diff --git a/hw/ide.c b/hw/ide.c index 211ec8858..7b84d1b0e 100644 --- a/hw/ide.c +++ b/hw/ide.c @@ -3009,8 +3009,10 @@ static void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } static uint32_t ide_data_readw(void *opaque, uint32_t addr) @@ -3032,8 +3034,10 @@ static uint32_t ide_data_readw(void *opaque, uint32_t addr) ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } @@ -3055,8 +3059,10 @@ static void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } static uint32_t ide_data_readl(void *opaque, uint32_t addr) @@ -3078,8 +3084,10 @@ static uint32_t ide_data_readl(void *opaque, uint32_t addr) ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; }