cce96bf59a
Fix qemu-img map crash for unaligned image (bz #1229394) CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) CVE-2015-5158: scsi stack buffer overflow (bz #1246025) CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755)
41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From: Petr Matousek <pmatouse@redhat.com>
|
|
Date: Wed, 17 Jun 2015 12:46:11 +0200
|
|
Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
|
|
|
|
Due converting PIO to the new memory read/write api we no longer provide
|
|
separate I/O region lenghts for read and write operations. As a result,
|
|
reading from PIT Mode/Command register will end with accessing
|
|
pit->channels with invalid index.
|
|
|
|
Fix this by ignoring read from the Mode/Command register.
|
|
|
|
This is CVE-2015-3214.
|
|
|
|
Reported-by: Matt Tait <matttait@google.com>
|
|
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235)
|
|
---
|
|
hw/timer/i8254.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
|
|
index 3450c98..9b65a33 100644
|
|
--- a/hw/timer/i8254.c
|
|
+++ b/hw/timer/i8254.c
|
|
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
|
|
PITChannelState *s;
|
|
|
|
addr &= 3;
|
|
+
|
|
+ if (addr == 3) {
|
|
+ /* Mode/Command register is write only, read is ignored */
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
s = &pit->channels[addr];
|
|
if (s->status_latched) {
|
|
s->status_latched = 0;
|