78402cc18f
CVE-2015-3456 fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. CVE-2015-3209 pcnet: force the buffer access to be in bounds during tx 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. Fix this by only allowing to queue maximum sizeof(buffer) bytes.
72 lines
2.4 KiB
Plaintext
72 lines
2.4 KiB
Plaintext
$OpenBSD: patch-hw_block_fdc_c,v 1.1 2015/07/18 20:36:57 sthen Exp $
|
|
|
|
fdc: force the fifo access to be in bounds of the allocated buffer
|
|
|
|
During processing of certain commands such as FD_CMD_READ_ID and
|
|
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
|
|
get out of bounds leading to memory corruption with values coming
|
|
from the guest.
|
|
|
|
Fix this by making sure that the index is always bounded by the
|
|
allocated memory.
|
|
|
|
CVE-2015-3456
|
|
|
|
--- hw/block/fdc.c.orig Tue Jul 14 19:14:04 2015
|
|
+++ hw/block/fdc.c Tue Jul 14 19:18:07 2015
|
|
@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
|
{
|
|
FDrive *cur_drv;
|
|
uint32_t retval = 0;
|
|
- int pos;
|
|
+ uint32_t pos;
|
|
|
|
cur_drv = get_cur_drv(fdctrl);
|
|
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
|
|
@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
|
|
return 0;
|
|
}
|
|
pos = fdctrl->data_pos;
|
|
+ pos %= FD_SECTOR_LEN;
|
|
if (fdctrl->msr & FD_MSR_NONDMA) {
|
|
- pos %= FD_SECTOR_LEN;
|
|
if (pos == 0) {
|
|
if (fdctrl->data_pos != 0)
|
|
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
|
|
@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int d
|
|
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
|
|
{
|
|
FDrive *cur_drv = get_cur_drv(fdctrl);
|
|
+ uint32_t pos;
|
|
|
|
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
|
|
+ pos = fdctrl->data_pos - 1;
|
|
+ pos %= FD_SECTOR_LEN;
|
|
+ if (fdctrl->fifo[pos] & 0x80) {
|
|
/* Command parameters done */
|
|
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
|
|
+ if (fdctrl->fifo[pos] & 0x40) {
|
|
fdctrl->fifo[0] = fdctrl->fifo[1];
|
|
fdctrl->fifo[2] = 0;
|
|
fdctrl->fifo[3] = 0;
|
|
@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
|
|
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
|
|
{
|
|
FDrive *cur_drv;
|
|
- int pos;
|
|
+ uint32_t pos;
|
|
|
|
/* Reset mode */
|
|
if (!(fdctrl->dor & FD_DOR_nRESET)) {
|
|
@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t
|
|
}
|
|
|
|
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
|
|
- fdctrl->fifo[fdctrl->data_pos++] = value;
|
|
+ pos = fdctrl->data_pos++;
|
|
+ pos %= FD_SECTOR_LEN;
|
|
+ fdctrl->fifo[pos] = value;
|
|
if (fdctrl->data_pos == fdctrl->data_len) {
|
|
/* We now have all parameters
|
|
* and will be able to treat the command
|