From: Kevin Wolf Date: Mon, 27 Jul 2015 03:42:53 +0000 (-0400) Subject: ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) X-Git-Tag: qemu-xen-4.6.0-rc1~8 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=f748613efca3cd444db26d5aae9244ffa7d7d313;p=qemu-upstream-4.6-testing.git ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). upstream-commit-id: cb72cba83021fa42719e73a5249c12096a4d1cfc Signed-off-by: Kevin Wolf Reviewed-by: John Snow Signed-off-by: Stefano Stabellini --- diff --git a/hw/ide/core.c b/hw/ide/core.c index a4467e91f..1d64bcac6 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -2020,8 +2020,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readw(void *opaque, uint32_t addr) @@ -2045,8 +2047,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } @@ -2070,8 +2074,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readl(void *opaque, uint32_t addr) @@ -2095,8 +2101,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; }