pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3e3107a7e2
xen/CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch
Charles Arnold b5fb5e90fb - bsc#939712 - VUL-0: XSA-140: QEMU leak of uninitialized heap 
memory in rtl8139 device model
  xsa140-qemuu-1.patch
  xsa140-qemuu-2.patch
  xsa140-qemuu-3.patch
  xsa140-qemuu-4.patch
  xsa140-qemuu-5.patch
  xsa140-qemuu-6.patch
  xsa140-qemuu-7.patch
  xsa140-qemut-1.patch
  xsa140-qemut-2.patch
  xsa140-qemut-3.patch
  xsa140-qemut-4.patch
  xsa140-qemut-5.patch
  xsa140-qemut-6.patch
  xsa140-qemut-7.patch
- bsc#939709 - VUL-0: XSA-139: xen: Use after free in QEMU/Xen
  block unplug protocol
  xsa139-qemuu.patch

- bsc#937371 - xen vm's running after reboot
  xendomains-libvirtd-conflict.patch

- bsc#938344 - VUL-0: CVE-2015-5154: qemu,kvm,xen: host code
  execution via IDE subsystem CD-ROM  
  CVE-2015-5154-qemuu-check-array-bounds-before-writing-to-io_buffer.patch
  CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
  CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
  CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
  CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=371
2015-08-11 22:49:00 +00:00

75 lines
2.1 KiB
Diff
Raw Blame History

From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:13:31 +0200
Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
(CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Index: xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.5.1-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.5.1-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1901,6 +1901,10 @@ void ide_data_writew(void *opaque, uint3
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -1922,6 +1926,10 @@ uint32_t ide_data_readw(void *opaque, ui
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -1943,6 +1951,10 @@ void ide_data_writel(void *opaque, uint3
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -1964,6 +1976,10 @@ uint32_t ide_data_readl(void *opaque, ui
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
Reference in New Issue View Git Blame Copy Permalink