-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABAgAGBQJVUzrzAAoJEH3vgQaq/DkOXS8QALd0l54nibDK8CA8ApUZeUns frOmGf4bsP88YrJww0alYEiu3ERT4hmjqKkltcyioVFY2t/CuVwCkoayAKac4ga0 sg1pfAMwBG5mGfQ67N/9h+rivJkCboChK0tIaVKD78+G9ez564rVkt5Px8MD3PKP SpatJSrfmOe5DjNVdlbgsNxuMEYZsI/req+G6kRJEddoHSIrQ6Ow/bk8Y5OLr1YV GLCCb2n/G4tAkSb1akmVXBx+WqIWrtXyQVz//jWV1g4zMS773vco2jHZMDfPt1we NvMoEo7uac8txlTYTXrHBFI19h+rW5jXs7+eYyM2bI04xZntEdxJzM1AIKoqzQUk EtGmnGLNsrKg7hrIxcjHwJ09sBl3VkIj62PYUiyhXRB1t7b2bg5IOaRUESCZDnhQ XV6ygdi6uGYoAiaM7JJ7FCt3k/xBFTPEHmyNTC+5Pza3mP5GXifNpDgLRPWP0ufG EBnUdWDiWIYY6FNa/Z4A5BX5gu41vVQkGNMVjOc8rbZ7iuaGJxay1epVQyuH9vll vZ8mUtFowvzWfGZGK/hjXVN7a3NK1N+JzVse1zVwqrf6z3nJXDd/Unn1ZfTcjHZb 0nBfe1WJRfsDOEgwYescjqckIwfcsLn1w+Q5MG76dQ6w2PeZcqaRf1LEl4sbiMSO G+1YypZjZ2hJIwwBUam9 =D51H -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into staging # gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E # gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB # Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E * remotes/jnsnow/tags/ide-cve-pull-request: fdc: force the fifo access to be in bounds of the allocated buffer Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-05-13 13:57:44 +01:00 · 2015-05-13 13:57:44 +01:00 · 4d2d2d8b21
parent 968bb75c34 e907746266
commit 4d2d2d8b21
1 changed files with 11 additions and 6 deletions
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
 {
    FDrive *cur_drv;
    uint32_t retval = 0;
-    int pos;
+    uint32_t pos;

    cur_drv = get_cur_drv(fdctrl);
    fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
        return 0;
    }
    pos = fdctrl->data_pos;
+    pos %= FD_SECTOR_LEN;
    if (fdctrl->msr & FD_MSR_NONDMA) {
-        pos %= FD_SECTOR_LEN;
        if (pos == 0) {
            if (fdctrl->data_pos != 0)
                if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
 {
    FDrive *cur_drv = get_cur_drv(fdctrl);
+    uint32_t pos;

-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+    pos = fdctrl->data_pos - 1;
+    pos %= FD_SECTOR_LEN;
+    if (fdctrl->fifo[pos] & 0x80) {
        /* Command parameters done */
-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+        if (fdctrl->fifo[pos] & 0x40) {
            fdctrl->fifo[0] = fdctrl->fifo[1];
            fdctrl->fifo[2] = 0;
            fdctrl->fifo[3] = 0;
@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
 {
    FDrive *cur_drv;
-    int pos;
+    uint32_t pos;

    /* Reset mode */
    if (!(fdctrl->dor & FD_DOR_nRESET)) {
@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
    }

    FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
-    fdctrl->fifo[fdctrl->data_pos++] = value;
+    pos = fdctrl->data_pos++;
+    pos %= FD_SECTOR_LEN;
+    fdctrl->fifo[pos] = value;
    if (fdctrl->data_pos == fdctrl->data_len) {
        /* We now have all parameters
         * and will be able to treat the command