qemu/hw
Kevin Wolf 6cc8a11c84 fdc: Fix MSR.RQM flag
The RQM bit in MSR should be set whenever the guest is supposed to
access the FIFO, and it should be cleared in all other cases. This is
important so the guest can't continue writing/reading the FIFO beyond
the length that it's suppossed to access (see CVE-2015-3456).

Commit e9077462 fixed the CVE by adding code that avoids the buffer
overflow; however it doesn't correct the wrong behaviour of the floppy
controller which should already have cleared RQM.

Currently, RQM stays set all the time and during all phases while a
command is being processed. This is error-prone because the command has
to explicitly clear the flag if it doesn't need data (and indeed, the
two buggy commands that are the culprits for the CVE just forgot to do
that).

This patch clears RQM immediately as soon as all bytes that are expected
have been received. If the the FIFO is used in the next phase, the flag
has to be set explicitly there.

It also clear RQM after receiving all bytes even if the phase transition
immediately sets it again. While it's technically not necessary at the
moment because the state between clearing and setting RQM is not
observable by the guest, this is more explicit and matches how real
hardware works. It will actually become necessary in qemu once
asynchronous code paths are introduced.

This alone should have been enough to fix the CVE, but now we have two
lines of defense - even better.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 1432214378-31891-8-git-send-email-kwolf@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
2015-06-02 13:34:44 -04:00
..
9pfs virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
acpi hw/acpi/aml-build: Fix memory leak 2015-06-01 14:18:54 +02:00
alpha Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
arm hw/arm/virt: Enable dynamic generation of ACPI v5.1 tables 2015-05-29 11:28:59 +01:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block fdc: Fix MSR.RQM flag 2015-06-02 13:34:44 -04:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
core qdev: add 64bit properties 2015-06-01 14:18:55 +02:00
cpu icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE 2014-11-03 19:51:56 +03:00
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display spice: don't update mm_time when spice-server is stopped. 2015-05-29 09:56:01 +02:00
dma Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
gpio Convert ffs() != 0 callers to ctz32() 2015-04-28 15:36:08 +02:00
i2c ACPI: split CONFIG_ACPI into 4 pieces 2015-05-29 11:28:59 +01:00
i386 acpi: add missing ssdt 2015-06-01 21:40:22 +02:00
ide ahci: do not remap clb/fis unconditionally 2015-05-22 15:58:22 -04:00
input virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
intc hw/intc/arm_gic: Add grouping support to gic_update() 2015-05-12 11:57:18 +01:00
ipack pci: Trivial device model conversions to realize 2015-02-26 12:42:16 +01:00
isa hw: Mark devices picking up char backends actively FIXME 2015-04-02 15:30:28 +02:00
lm32 lm32: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-10 14:12:20 +01:00
m68k m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:35:24 +01:00
mem pc-dimm: Add description for device list. 2015-03-19 11:17:36 +03:00
microblaze microblaze: fix memory leak 2015-04-30 16:06:18 +03:00
mips target-mips: fix memory leak 2015-04-30 16:06:17 +03:00
misc misc: Fix new collection of typos 2015-04-30 16:05:48 +03:00
moxie memory: add parameter errp to memory_region_init_ram 2014-09-09 13:41:43 +02:00
net vhost-user: add multi queue support 2015-06-01 14:18:55 +02:00
nvram fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
openrisc hw/core/loader: implement address translation in uimage loader 2014-11-03 00:59:10 +03:00
pci xen: don't allow guest to control MSI mask register 2015-06-02 15:07:00 +00:00
pci-bridge pci: Remove unused function ich9_d2pbr_init() 2015-04-30 16:05:48 +03:00
pci-host Convert (ffs(val) - 1) to ctz32(val) 2015-04-28 15:36:08 +02:00
pcmcia hmp: Remove "info pcmcia" 2014-10-24 12:19:11 +01:00
ppc spapr: define SPAPR_COMPAT_2_3 2015-05-31 16:26:41 +02:00
s390x virtio-s390: introduce virtio_s390_device_plugged() 2015-05-31 16:47:50 +02:00
scsi virtio: make features 64bit wide 2015-06-01 14:18:55 +02:00
sd hw/sd: Don't pass BlockBackend to sd_reset() 2015-05-12 11:57:16 +01:00
sh4 Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
sparc sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:36:14 +01:00
sparc64 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ssi omap: Fix warnings from Sparse 2015-03-19 11:11:55 +03:00
timer Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
tpm TPM2 ACPI table support 2015-06-01 14:18:54 +02:00
tricore target-tricore: check return value before using it 2014-11-02 10:04:34 +03:00
unicore32 unicore32: Use uc32_cpu_init() 2015-03-10 17:07:28 +01:00
usb trivial patches for 2015-05-09 2015-05-11 13:54:00 +01:00
vfio exec: move rcu_read_lock/unlock to address_space_translate callers 2015-04-30 16:55:32 +02:00
virtio vhost-user: add multi queue support 2015-06-01 14:18:55 +02:00
watchdog i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
xen xen/pt: unknown PCI config space fields should be read-only 2015-06-02 15:07:01 +00:00
xenpv hw: Convert from BlockDriverState to BlockBackend, mostly 2014-10-20 14:02:25 +02:00
xtensa xtensa: Remove superfluous '\n' around error_report() 2015-03-10 08:15:33 +03:00
Makefile.objs vfio: move hw/misc/vfio.c to hw/vfio/pci.c Move vfio.h into include/hw/vfio 2014-12-19 15:24:06 -07:00