From: Kevin Wolf Date: Mon, 27 Jul 2015 03:42:53 +0000 (-0400) Subject: ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=fad385b9831595b4d8d76d9079be72f2e7bddaec;p=qemu-upstream-4.2-testing.git ide: Clear DRQ after handling all expected accesses (CVE-2015-5154) This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it's better to do this in a central place instead of duplicating the code in all commands (and forgetting it in some). upstream-commit-id: cb72cba83021fa42719e73a5249c12096a4d1cfc Signed-off-by: Kevin Wolf Reviewed-by: John Snow Signed-off-by: Stefano Stabellini --- diff --git a/hw/ide/core.c b/hw/ide/core.c index f0ef026d7..ad8bc23a9 100644 --- a/hw/ide/core.c +++ b/hw/ide/core.c @@ -1666,8 +1666,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) *(uint16_t *)p = le16_to_cpu(val); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readw(void *opaque, uint32_t addr) @@ -1691,8 +1693,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) ret = cpu_to_le16(*(uint16_t *)p); p += 2; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; } @@ -1716,8 +1720,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) *(uint32_t *)p = le32_to_cpu(val); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } } uint32_t ide_data_readl(void *opaque, uint32_t addr) @@ -1741,8 +1747,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) ret = cpu_to_le32(*(uint32_t *)p); p += 4; s->data_ptr = p; - if (p >= s->data_end) + if (p >= s->data_end) { + s->status &= ~DRQ_STAT; s->end_transfer_func(s); + } return ret; }