From 7d08e1fae6150a3c0867dba6f75cf00946b3163c Mon Sep 17 00:00:00 2001
From: Petr Matousek <pmatouse@redhat.com>
Date: Tue, 2 Jun 2015 14:32:06 +0200
Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.
Fix this by ignoring read from the Mode/Command register.
This is CVE-2015-3214.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
---
hw/timer/i8254.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
index 3450c98..9b65a33 100644
--- a/hw/timer/i8254.c
+++ b/hw/timer/i8254.c
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
PITChannelState *s;
addr &= 3;
+
+ if (addr == 3) {
+ /* Mode/Command register is write only, read is ignored */
+ return 0;
+ }
+
s = &pit->channels[addr];
if (s->status_latched) {
s->status_latched = 0;
--
2.1.0
distrib
>
Mageia
>
5
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
90375fcc85be50ebaba5ff91f4469994
>
files
>
22
