qemu-e2k/hw
Petr Matousek e907746266 fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

This is CVE-2015-3456.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
2015-05-12 18:52:57 -04:00
..
9pfs
acpi pc, virtio enhancements 2015-05-11 16:25:33 +01:00
alpha Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
arm hw/arm/highbank.c: Wire FIQ between CPU <> GIC 2015-05-12 11:57:19 +01:00
audio gus: clean up MemoryRegionPortio 2015-04-27 18:24:18 +02:00
block fdc: force the fifo access to be in bounds of the allocated buffer 2015-05-12 18:52:57 -04:00
bt bt-sdp: fix broken uuids power-of-2 calculation 2015-04-28 15:36:08 +02:00
char sclp: sort into categories 2015-04-30 13:21:41 +02:00
core pc, virtio enhancements 2015-05-11 16:25:33 +01:00
cpu
cris cris: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-11 20:03:57 +10:00
display hw/display : remove 'struct' from 'typedef QXL struct' 2015-04-30 16:05:48 +03:00
dma Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
gpio Convert ffs() != 0 callers to ctz32() 2015-04-28 15:36:08 +02:00
i2c Convert ffs() != 0 callers to ctz32() 2015-04-28 15:36:08 +02:00
i386 pc, virtio enhancements 2015-05-11 16:25:33 +01:00
ide ide: there is only one data port 2015-04-27 18:24:19 +02:00
input
intc hw/intc/arm_gic: Add grouping support to gic_update() 2015-05-12 11:57:18 +01:00
ipack
isa hw: Mark devices picking up char backends actively FIXME 2015-04-02 15:30:28 +02:00
lm32 lm32: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-04-10 14:12:20 +01:00
m68k m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:35:24 +01:00
mem
microblaze microblaze: fix memory leak 2015-04-30 16:06:18 +03:00
mips target-mips: fix memory leak 2015-04-30 16:06:17 +03:00
misc misc: Fix new collection of typos 2015-04-30 16:05:48 +03:00
moxie
net -----BEGIN PGP SIGNATURE----- 2015-05-12 10:40:31 +01:00
nvram fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
openrisc
pci pc, virtio enhancements 2015-05-11 16:25:33 +01:00
pci-bridge pci: Remove unused function ich9_d2pbr_init() 2015-04-30 16:05:48 +03:00
pci-host Convert (ffs(val) - 1) to ctz32(val) 2015-04-28 15:36:08 +02:00
pcmcia
ppc pc, virtio enhancements 2015-05-11 16:25:33 +01:00
s390x pc, virtio enhancements 2015-05-11 16:25:33 +01:00
scsi pc, virtio enhancements 2015-05-11 16:25:33 +01:00
sd hw/sd: Don't pass BlockBackend to sd_reset() 2015-05-12 11:57:16 +01:00
sh4 Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
sparc sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory 2015-03-25 14:36:14 +01:00
sparc64 fw_cfg: factor out initialization of FW_CFG_ID (rev. number) 2015-03-25 13:37:10 +01:00
ssi
timer Switch non-CPU callers from ld/st*_phys to address_space_ld/st* 2015-04-26 16:49:24 +01:00
tpm tpm: fix coding style 2015-04-30 16:05:48 +03:00
tricore
unicore32
usb trivial patches for 2015-05-09 2015-05-11 13:54:00 +01:00
vfio exec: move rcu_read_lock/unlock to address_space_translate callers 2015-04-30 16:55:32 +02:00
virtio pc, virtio enhancements 2015-05-11 16:25:33 +01:00
watchdog i6300esb: Fix signed integer overflow 2015-03-25 13:38:05 +01:00
xen xen: limit guest control of PCI command register 2015-04-09 23:37:21 +01:00
xenpv
xtensa
Makefile.objs