From ef9148789f335927506b9f86fe6805b764d57d27 Mon Sep 17 00:00:00 2001

From: Miroslav Rezanina <mrezanin@redhat.com>

Date: Mon, 11 May 2015 10:13:23 +0200

Subject: [PATCH 6/6] fdc: force the fifo access to be in bounds of the

 allocated buffer

Message-id: <1431332003-30588-1-git-send-email-mrezanin@redhat.com>

O-Subject: [RHEL-7.2 qemu-kvm EMBARGOED PATCH] fdc: force the fifo access

           to be in bounds of the allocated buffer

Bugzilla: 1219270

RH-Acked-by: Reviewed-by: Markus Armbruster <armbru@redhat.com>

RH-Acked-by: Reviewed-by: Kevin Wolf <kwolf@redhat.com>

RH-Acked-by: Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

During processing of certain commands such as FD_CMD_READ_ID and

FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could

get out of bounds leading to memory corruption with values coming

from the guest.

Fix this by making sure that the index is always bounded by the

allocated memory.

This is CVE-2015-3456.

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 hw/block/fdc.c | 17 +++++++++++------

 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/hw/block/fdc.c b/hw/block/fdc.c

index 322d863..56aedcc 100644

--- a/hw/block/fdc.c

+++ b/hw/block/fdc.c

@@ -1434,7 +1434,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)

 {

     FDrive *cur_drv;

     uint32_t retval = 0;

-    int pos;

+    uint32_t pos;

     cur_drv = get_cur_drv(fdctrl);

     fdctrl->dsr &= ~FD_DSR_PWRDOWN;

@@ -1443,8 +1443,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)

         return 0;

     }

     pos = fdctrl->data_pos;

+    pos %= FD_SECTOR_LEN;

     if (fdctrl->msr & FD_MSR_NONDMA) {

-        pos %= FD_SECTOR_LEN;

         if (pos == 0) {

             if (fdctrl->data_pos != 0)

                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {

@@ -1788,10 +1788,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)

 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)

 {

     FDrive *cur_drv = get_cur_drv(fdctrl);

+    uint32_t pos;

-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {

+    pos = fdctrl->data_pos - 1;

+    pos %= FD_SECTOR_LEN;

+    if (fdctrl->fifo[pos] & 0x80) {

         /* Command parameters done */

-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {

+        if (fdctrl->fifo[pos] & 0x40) {

             fdctrl->fifo[0] = fdctrl->fifo[1];

             fdctrl->fifo[2] = 0;

             fdctrl->fifo[3] = 0;

@@ -1891,7 +1894,7 @@ static uint8_t command_to_handler[256];

 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)

 {

     FDrive *cur_drv;

-    int pos;

+    uint32_t pos;

     /* Reset mode */

     if (!(fdctrl->dor & FD_DOR_nRESET)) {

@@ -1939,7 +1942,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)

     }

     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);

-    fdctrl->fifo[fdctrl->data_pos++] = value;

+    pos = fdctrl->data_pos++;

+    pos %= FD_SECTOR_LEN;

+    fdctrl->fifo[pos] = value;

     if (fdctrl->data_pos == fdctrl->data_len) {

         /* We now have all parameters

          * and will be able to treat the command

-- 

1.8.3.1