qemu/hw
Petr Matousek e907746266 fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

This is CVE-2015-3456.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
2015-05-12 18:52:57 -04:00
..
9pfs 9pfs: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
acpi pc, virtio enhancements 2015-05-11 16:25:33 +01:00
alpha Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
arm hw/arm/highbank.c: Wire FIQ between CPU <> GIC 2015-05-12 11:57:19 +01:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block fdc: force the fifo access to be in bounds of the allocated buffer 2015-05-12 18:52:57 -04:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char sclp: sort into categories 2015-04-30 13:21:41 +02:00
core pc, virtio enhancements 2015-05-11 16:25:33 +01:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display hw/display : remove 'struct' from 'typedef QXL struct' 2015-04-30 16:05:48 +03:00
dma Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
gpio Convert ffs() != 0 callers to ctz32() 2015-04-28 15:36:08 +02:00
i2c Convert ffs() != 0 callers to ctz32() 2015-04-28 15:36:08 +02:00
i386 pc, virtio enhancements 2015-05-11 16:25:33 +01:00
ide ide: there is only one data port 2015-04-27 18:24:19 +02:00
input adb.c: include ADBDevice parent state in KBDState and MouseState 2015-03-09 15:00:04 +01:00
intc hw/intc/arm_gic: Add grouping support to gic_update() 2015-05-12 11:57:18 +01:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa hw: Mark devices picking up char backends actively FIXME 2015-04-02 15:30:28 +02:00
lm32 lm32: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-10 14:12:20 +01:00
m68k m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:35:24 +01:00
mem pc-dimm: Add description for device list. 2015-03-19 11:17:36 +03:00
microblaze microblaze: fix memory leak 2015-04-30 16:06:18 +03:00
mips target-mips: fix memory leak 2015-04-30 16:06:17 +03:00
misc misc: Fix new collection of typos 2015-04-30 16:05:48 +03:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net -----BEGIN PGP SIGNATURE----- 2015-05-12 10:40:31 +01:00
nvram fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci pc, virtio enhancements 2015-05-11 16:25:33 +01:00
pci-bridge pci: Remove unused function ich9_d2pbr_init() 2015-04-30 16:05:48 +03:00
pci-host Convert (ffs(val) - 1) to ctz32(val) 2015-04-28 15:36:08 +02:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc pc, virtio enhancements 2015-05-11 16:25:33 +01:00
s390x pc, virtio enhancements 2015-05-11 16:25:33 +01:00
scsi pc, virtio enhancements 2015-05-11 16:25:33 +01:00
sd hw/sd: Don't pass BlockBackend to sd_reset() 2015-05-12 11:57:16 +01:00
sh4 Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
sparc sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:36:14 +01:00
sparc64 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
tpm tpm: fix coding style 2015-04-30 16:05:48 +03:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 unicore32: Use uc32_cpu_init() 2015-03-10 17:07:28 +01:00
usb trivial patches for 2015-05-09 2015-05-11 13:54:00 +01:00
vfio exec: move rcu_read_lock/unlock to address_space_translate callers 2015-04-30 16:55:32 +02:00
virtio pc, virtio enhancements 2015-05-11 16:25:33 +01:00
watchdog i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
xen xen: limit guest control of PCI command register 2015-04-09 23:37:21 +01:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00