[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-upstream-unstable] ide: Clear DRQ after handling all expected accesses (CVE-2015-5154)

commit f748613efca3cd444db26d5aae9244ffa7d7d313
Author:     Kevin Wolf <kwolf@xxxxxxxxxx>
AuthorDate: Sun Jul 26 23:42:53 2015 -0400
Commit:     Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
CommitDate: Wed Jul 29 15:35:25 2015 +0000

    ide: Clear DRQ after handling all expected accesses (CVE-2015-5154)
    
    This is additional hardening against an end_transfer_func that fails to
    clear the DRQ status bit. The bit must be unset as soon as the PIO
    transfer has completed, so it's better to do this in a central place
    instead of duplicating the code in all commands (and forgetting it in
    some).
    
    upstream-commit-id: cb72cba83021fa42719e73a5249c12096a4d1cfc
    
    Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
    Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
    Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
---
 hw/ide/core.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index a4467e9..1d64bca 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2020,8 +2020,10 @@ void ide_data_writew(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -2045,8 +2047,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
@@ -2070,8 +2074,10 @@ void ide_data_writel(void *opaque, uint32_t addr, 
uint32_t val)
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -2095,8 +2101,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
--
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.