mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/hw
History
Markus Armbruster 7e62255a4b ccid: Fix buffer overrun in handling of VSC_ATR message 
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-11-28 16:20:53 -06:00
..
9pfs
9pfs: improve portability to older systems
2011-11-28 16:19:57 -06:00
ide
atapi: kill MODE SENSE(6), fix MODE SENSE(10)
2011-11-18 13:54:32 +01:00
9p.h
a9mpcore.c
ac97.c
ac97: don't override the pci subsystem id
2011-11-07 10:57:37 -06:00
acpi_piix4.c
acpi.c
acpi.h
adb.c
adb.h
adlib.c
ads7846.c
alpha_dp264.c
alpha_pci.c
alpha_sys.h
alpha_typhoon.c
an5206.c
apb_pci.c
apb_pci.h
apic.c
apic.h
apm.c
apm.h
applesmc.c
arm11mpcore.c
arm_boot.c
arm_gic.c
arm_pic.c
arm_sysctl.c
hw/arm_sysctl: Fix RESETCTL for realview-pb-a8 and -pbx-a9
2011-11-14 03:09:20 +01:00
arm_timer.c
hw/arm_timer.c: Fix bounds check for Integrator timer accesses
2011-11-11 12:49:53 -06:00
arm-misc.h
armv7m_nvic.c
armv7m.c
audiodev.h
axis_dev88.c
baum.c
baum.h
bitbang_i2c.c
bitbang_i2c.h
blizzard_template.h
blizzard.c
boards.h
bonito.c
bt-hci-csr.c
bt-hci.c
bt-hid.c
bt-l2cap.c
bt-sdp.c
bt.c
bt.h
cbus.c
ccid-card-emulated.c
ccid-card-passthru.c
ccid: Fix buffer overrun in handling of VSC_ATR message
2011-11-28 16:20:53 -06:00
ccid.h
cdrom.c
cirrus_vga_rop2.h
cirrus_vga_rop.h
cirrus_vga.c
collie.c
cris_pic_cpu.c
cris-boot.c
cris-boot.h
cs4231.c
cs4231a.c
cuda.c
debugcon.c
dec_pci.c
dec_pci.h
device-hotplug.c
devices.h
dma.c
dp8393x.c
ds1225y.c
ds1338.c
dummy_m68k.c
e1000_hw.h
e1000.c
ecc.c
eccmemctl.c
eepro100.c
eepro100: Fix alignment requirement for statistical counters
2011-11-28 11:36:34 -06:00
eeprom93xx.c
eeprom93xx.h
elf_ops.h
empty_slot.c
empty_slot.h
es1370.c
escc.c
escc.h
esp.c
esp.h
etraxfs_dma.c
etraxfs_dma.h
etraxfs_eth.c
etraxfs_pic.c
etraxfs_ser.c
etraxfs_timer.c
etraxfs.h
fdc.c
fdc.h
firmware_abi.h
flash.h
fmopl.c
fmopl.h
framebuffer.c
framebuffer.h
fw_cfg.c
fw_cfg.h
g364fb.c
grackle_pci.c
grlib_apbuart.c
grlib_gptimer.c
grlib_irqmp.c
grlib.h
gt64xxx.c
gumstix.c
gus.c
gusemu_hal.c
gusemu_mixer.c
gusemu.h
gustate.h
hda-audio.c
heathrow_pic.c
hid.c
hid.h
hpet_emul.h
hpet.c
hpet: fix infinite loop in qemu_run_timers with -icount enabled
2011-11-09 12:06:20 -06:00
hw.h
i2c.c
i2c.h
i8254.c
i8259.c
ide.h
integratorcp.c
intel-hda-defs.h
intel-hda.c
intel-hda.h
ioapic.c
ioapic.h
ioh3420.c
ioh3420.h
irq.c
irq.h
isa_mmio.c
isa-bus.c
isa.h
ivshmem.c
ivshmem: fix PCI BAR2 registration during initialization
2011-11-21 15:05:59 -06:00
jazz_led.c
kvmclock.c
kvmclock.h
lan9118.c
hw/lan9118.c: Add missing 'break' to fix buffer overrun
2011-11-10 12:29:50 +00:00
lance.c
leon3.c
lm32_boards.c
lm32_hwsetup.h
lm32_juart.c
lm32_juart.h
lm32_pic.c
lm32_pic.h
lm32_sys.c
lm32_timer.c
lm32_uart.c
lm32.h
lm832x.c
lm4549.c
lm4549.h
loader.c
loader: Fix read_targphys() to behave when read() fails
2011-11-19 11:23:42 +00:00
loader.h
loader: Fix read_targphys() to behave when read() fails
2011-11-19 11:23:42 +00:00
lsi53c895a.c
m48t59.c
mac_dbdma.c
mac_dbdma.h
mac_nvram.c
macio.c
mainstone.c
marvell_88w8618_audio.c
max111x.c
max7310.c
mc146818rtc.c
mc146818rtc.h
mcf5206.c
mcf5208.c
mcf_fec.c
mcf_intc.c
mcf_uart.c
mcf.h
microblaze_pic_cpu.c
microblaze_pic_cpu.h
milkymist-ac97.c
milkymist-hpdmc.c
milkymist-hw.h
milkymist-memcard.c
milkymist-minimac2.c
milkymist-pfpu.c
milkymist-softusb.c
milkymist-sysctl.c
milkymist-tmu2.c
milkymist-uart.c
milkymist-vgafb_template.h
milkymist-vgafb.c
milkymist.c
mips_addr.c
mips_cpudevs.h
mips_fulong2e.c
mips_int.c
mips_jazz.c
mips_malta.c
mips_mipssim.c
Fix spelling in documentation and comments (similiar -> similar)
2011-11-17 12:57:36 +00:00
mips_r4k.c
mips_timer.c
mips-bios.h
mips.h
mipsnet.c
mpc8544_guts.c
mpcore.c
msi.c
msi.h
msix.c
msix: avoid mask updates if mask is unchanged
2011-11-21 15:05:59 -06:00
msix.h
msmouse.c
msmouse.h
mst_fpga.c
multiboot.c
multiboot.h
musicpal.c
nand.c
hw/nand: reject read-only drives
2011-11-14 03:19:18 +01:00
ne2000-isa.c
ne2000.c
ne2000.h
nseries.c
nvram.h
omap1.c
omap2.c
omap_clk.c
omap_dma.c
omap_dss.c
hw/omap_dss.c: Fix !-vs-~ bug in handling DISPC_CONTROL
2011-11-09 12:06:20 -06:00
omap_gpio.c
hw/omap_gpio: Fix infinite recursion when doing 8/16 bit reads
2011-11-14 11:26:32 -06:00
omap_gpmc.c
hw/omap_gpmc.c: Add missing 'break's to fix 8 bit NAND writes
2011-11-09 12:06:20 -06:00
omap_gptimer.c
omap_i2c.c
omap_intc.c
hw/omap_intc.c: Avoid crash on access to nonexistent banked registers
2011-11-11 12:49:52 -06:00
omap_l4.c
omap_lcd_template.h
omap_lcdc.c
omap_mmc.c
omap_sdrc.c
omap_spi.c
omap_sx1.c
omap_synctimer.c
omap_tap.c
omap_uart.c
omap.h
onenand.c
hw/onenand: reject read-only drives
2011-11-14 03:22:30 +01:00
opencores_eth.c
openpic.c
openpic.h
palm.c
parallel.c
pc_piix.c
pc_piix: set qxl revision to 2 for pc-0.14
2011-11-14 11:26:32 -06:00
pc.c
hw/pc.c: Fix use-while-uninitialized of fd_type[]
2011-11-11 14:02:59 +01:00
pc.h
pci_bridge.c
pci_bridge.h
pci_host.c
pci_host.h
pci_ids.h
pci_internals.h
pci_regs.h
pci-hotplug.c
usb-msd: do not register twice in the boot order
2011-11-22 10:33:30 +01:00
pci-stub.c
pci.c
pci.h
msix: track function masked in pci device state
2011-11-21 15:05:59 -06:00
pcie_aer.c
pcie_aer.h
pcie_host.c
pcie_host.h
pcie_port.c
pcie_port.h
pcie_regs.h
pcie.c
pcie.h
pckbd.c
pcmcia.h
pcnet-pci.c
pcnet.c
pcnet.h
pcspk.c
petalogix_ml605_mmu.c
petalogix_s3adsp1800_mmu.c
pflash_cfi01.c
pflash_cfi02.c
piix4.c
piix_pci.c
pixel_ops.h
pl011.c
pl022.c
pl031.c
pl041.c
pl041.h
pl041.hx
pl050.c
pl061.c
hw/pl061: Remove pointless comparison of array to null
2011-11-11 12:49:53 -06:00
pl080.c
pl110_template.h
pl110.c
pl181.c
pl190.c
pm_smbus.c
pm_smbus.h
ppc4xx_devs.c
ppc4xx_pci.c
ppc4xx.h
ppc405_boards.c
ppc405_uc.c
ppc405.h
ppc440_bamboo.c
ppc440.c
ppc440.h
ppc_booke.c
ppc_mac.h
ppc_newworld.c
ppc_oldworld.c
ppc_prep.c
ppc-viosrp.h
ppc.c
ppc.h
ppce500_mpc8544ds.c
ppce500_pci.c
ppce500_spin.c
prep_pci.c
prep_pci.h
primecell.h
ps2.c
ps2.h
ptimer.c
pxa2xx_dma.c
pxa2xx_gpio.c
pxa2xx_keypad.c
pxa2xx_lcd.c
pxa2xx_mmci.c
pxa2xx_pcmcia.c
pxa2xx_pic.c
pxa2xx_template.h
pxa2xx_timer.c
pxa2xx.c
hw/pxa2xx.c: Fix handling of RW bits in PMCR
2011-11-14 02:26:20 +01:00
pxa.h
qdev-addr.c
qdev-addr.h
qdev-properties.c
qdev.c
qdev: Fix crash on -device '?=x'
2011-11-10 12:29:50 +00:00
qdev.h
qxl-logger.c
qxl-render.c
qxl.c
qxl: fix vga port initialization.
2011-11-07 10:57:37 -06:00
qxl.h
r2d.c
rc4030.c
realview_gic.c
realview.c
rtl8139.c
rtl8139: Fix invalid IO access alignment
2011-11-23 10:36:59 +00:00
s390-virtio-bus.c
virtio: add and use virtio_set_features
2011-11-28 11:36:28 -06:00
s390-virtio-bus.h
s390-virtio.c
s390x: initialize virtio dev region
2011-11-14 17:47:27 +01:00
sb16.c
sbi.c
scsi-bus.c
scsi: fix fw path
2011-11-22 10:33:30 +01:00
scsi-defs.h
scsi: update list of commands
2011-11-18 13:57:16 +01:00
scsi-disk.c
scsi-block: always use SG_IO for MMC devices
2011-11-18 14:14:32 +01:00
scsi-generic.c
scsi-generic: add as boot device
2011-11-22 10:33:30 +01:00
scsi.h
usb-msd: do not register twice in the boot order
2011-11-22 10:33:30 +01:00
sd.c
sd.h
serial.c
sga.c
sh7750_regnames.c
sh7750_regnames.h
sh7750_regs.h
sh7750.c
sh_intc.c
sh_intc.h
sh_pci.c
sh_serial.c
sh_timer.c
sh.h
sharpsl.h
shix.c
slavio_intctl.c
slavio_misc.c
slavio_timer.c
sm501_template.h
sm501.c
smbios.c
smbios.h
smbus_eeprom.c
smbus.c
smbus.h
smc91c111.c
soc_dma.c
soc_dma.h
spapr_hcall.c
spapr_llan.c
spapr_pci.c
spapr_pci.h
spapr_rtas.c
spapr_vio.c
pseries: Fix qdev.id handling in the VIO bus code
2011-11-18 14:26:30 +01:00
spapr_vio.h
spapr_vscsi.c
spapr_vty.c
pseries: Allow kernel's early debug output to work
2011-11-18 14:22:46 +01:00
spapr.c
pseries: Correct RAM size check for SLOF
2011-11-18 14:22:45 +01:00
spapr.h
sparc32_dma.c
sparc32_dma.h
spitz.c
srp.h
ssd0303.c
ssd0323.c
ssi-sd.c
ssi.c
ssi.h
stellaris_enet.c
stellaris_input.c
stellaris.c
strongarm.c
strongarm.h
sun4c_intctl.c
sun4m_iommu.c
sun4m.c
sun4m.h
sun4u.c
syborg_fb.c
syborg_interrupt.c
syborg_keyboard.c
syborg_pointer.c
syborg_rtc.c
syborg_serial.c
syborg_timer.c
syborg_virtio.c
virtio: add and use virtio_set_features
2011-11-28 11:36:28 -06:00
syborg.c
syborg.h
sysbus.c
sysbus.h
tc6393xb_template.h
tc6393xb.c
tc58128.c
hw/tc58128.c: Remove unnecessary check for g_malloc failure
2011-11-11 12:49:53 -06:00
tcx.c
tmp105.c
tosa.c
tsc210x.c
tsc2005.c
tusb6010.c
twl92230.c
unin_pci.c
usb-bt.c
usb: make usb_create_simple catch and pass up errors.
2011-11-22 13:38:12 +01:00
usb-bus.c
usb: fix usb_qdev_init error handling.
2011-11-22 14:12:32 +01:00
usb-ccid.c
usb-desc.c
usb-desc.h
usb-ehci.c
usb-ehci: add register names
2011-11-23 16:24:06 +01:00
usb-hid.c
usb-hub.c
usb-hub: implement reset
2011-11-23 16:24:05 +01:00
usb-libhw.c
usb-msd.c
usb-msd: do not register twice in the boot order
2011-11-22 10:33:30 +01:00
usb-musb.c
usb-net.c
Revert bugfix e7852674d5 until tested or until after the release.
2011-11-14 18:17:59 +01:00
usb-ohci.c
usb-ohci.h
usb-serial.c
usb-uhci.c
usb-uhci.h
usb-wacom.c
usb.c
usb.h
versatile_pci.c
versatilepb.c
vexpress.c
vga_int.h
vga_template.h
vga-isa-mm.c
vga-isa.c
vga-pci.c
vga.c
vhost_net.c
vhost_net.h
vhost.c
vhost.h
virtex_ml507.c
virtex: Remove memset of clk_setup
2011-11-08 20:53:49 +01:00
virtio-balloon.c
virtio-balloon.h
virtio-blk.c
virtio-blk: fix cross-endian config space
2011-11-22 10:33:30 +01:00
virtio-blk.h
virtio-console.c
virtio-net.c
virtio-net.h
virtio-pci.c
virtio: add and use virtio_set_features
2011-11-28 11:36:28 -06:00
virtio-pci.h
virtio-serial-bus.c
virtio-serial.h
virtio.c
virtio: add and use virtio_set_features
2011-11-28 11:36:28 -06:00
virtio.h
virtio: add and use virtio_set_features
2011-11-28 11:36:28 -06:00
vmmouse.c
vmport.c
vmware_vga.c
vmware_vga.h
vt82c686.c
vt82c686.h
watchdog.c
watchdog.h
wdt_i6300esb.c
wdt_ib700.c
wm8750.c
xen_backend.c
xen_backend.h
xen_blkif.h
xen_common.h
xen_console.c
xen_devconfig.c
xen_disk.c
xen_domainbuild.c
xen_domainbuild.h
xen_machine_pv.c
xen_nic.c
xen_platform.c
xen.h
xenfb.c
xics.c
xics.h
xilinx_axidma.c
xilinx_axidma.h
xilinx_axienet.c
xilinx_ethlite.c
xilinx_intc.c
xilinx_timer.c
xilinx_uartlite.c
xilinx.h
xio3130_downstream.c
xio3130_downstream.h
xio3130_upstream.c
xio3130_upstream.h
xtensa_bootparam.h
xtensa_lx60.c
xtensa_pic.c
xtensa_sim.c
z2.c
zaurus.c