i8254: fix out-of-bounds memory access in pit_ioport_read()

Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index. Fix this by ignoring read from the Mode/Command register. This is CVE-2015-3214. Reported-by: N Matt Tait <matttait@google.com> Fixes: 0505bcde Cc: qemu-stable@nongnu.org Signed-off-by: N Petr Matousek <pmatouse@redhat.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index. Fix this by ignoring read from the Mode/Command register. This is CVE-2015-3214. Reported-by: N Matt Tait <matttait@google.com> Fixes: 0505bcde Cc: qemu-stable@nongnu.org Signed-off-by: N Petr Matousek <pmatouse@redhat.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
d4862a87 · Petr Matousek · Paolo Bonzini · 9dacf32d · d4862a87
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

hw/timer/i8254.c hw/timer/i8254.c +6 -0

未找到文件。
--- a/hw/timer/i8254.c
+++ b/hw/timer/i8254.c
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
    PITChannelState *s;

    addr &= 3;
+
+    if (addr == 3) {
+        /* Mode/Command register is write only, read is ignored */
+        return 0;
+    }
+
    s = &pit->channels[addr];
    if (s->status_latched) {
        s->status_latched = 0;