qemu-e2k/hw/block
Philippe Mathieu-Daudé defac5e2fb hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
Per the 82078 datasheet, if the end-of-track (EOT byte in
the FIFO) is more than the number of sectors per side, the
command is terminated unsuccessfully:

* 5.2.5 DATA TRANSFER TERMINATION

  The 82078 supports terminal count explicitly through
  the TC pin and implicitly through the underrun/over-
  run and end-of-track (EOT) functions. For full sector
  transfers, the EOT parameter can define the last
  sector to be transferred in a single or multisector
  transfer. If the last sector to be transferred is a par-
  tial sector, the host can stop transferring the data in
  mid-sector, and the 82078 will continue to complete
  the sector as if a hardware TC was received. The
  only difference between these implicit functions and
  TC is that they return "abnormal termination" result
  status. Such status indications can be ignored if they
  were expected.

* 6.1.3 READ TRACK

  This command terminates when the EOT specified
  number of sectors have been read. If the 82078
  does not find an I D Address Mark on the diskette
  after the second· occurrence of a pulse on the
  INDX# pin, then it sets the IC code in Status Regis-
  ter 0 to "01" (Abnormal termination), sets the MA bit
  in Status Register 1 to "1", and terminates the com-
  mand.

* 6.1.6 VERIFY

  Refer to Table 6-6 and Table 6-7 for information
  concerning the values of MT and EC versus SC and
  EOT value.

* Table 6·6. Result Phase Table

* Table 6-7. Verify Command Result Phase Table

Fix by aborting the transfer when EOT > # Sectors Per Side.

Cc: qemu-stable@nongnu.org
Cc: Hervé Poussineau <hpoussin@reactos.org>
Fixes: baca51faff ("floppy driver: disk geometry auto detect")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2022-05-12 12:31:08 +02:00
..
dataplane osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
block.c block: drop BLK_PERM_GRAPH_MOD 2022-01-14 12:03:16 +01:00
cdrom.c
ecc.c vmstate: Constify some VMStateDescriptions 2021-05-02 17:24:50 +02:00
fdc-internal.h hw/block/fdc: Declare shared prototypes in fdc-internal.h 2021-06-25 08:53:28 -04:00
fdc-isa.c hw/isa: Inline and remove one-line isa_init_irq() 2022-03-08 19:38:17 +01:00
fdc-sysbus.c hw/block/fdc: Add description to floppy controllers 2021-06-25 08:53:28 -04:00
fdc.c hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) 2022-05-12 12:31:08 +02:00
hd-geometry.c
Kconfig hw/block/fdc: Extract SysBus floppy controllers to fdc-sysbus.c 2021-06-25 08:53:28 -04:00
m25p80.c hw/block: m25p80: Add support for w25q01jvq 2022-03-08 09:18:11 +01:00
meson.build hw/block/fdc: Extract SysBus floppy controllers to fdc-sysbus.c 2021-06-25 08:53:28 -04:00
nand.c block: Separate blk_is_writable() and blk_supports_write_perm() 2021-01-27 20:45:20 +01:00
onenand.c block: Separate blk_is_writable() and blk_supports_write_perm() 2021-01-27 20:45:20 +01:00
pflash_cfi01.c block: rename bdrv_invalidate_cache_all, blk_invalidate_cache and test_sync_op_invalidate_cache 2022-03-04 18:14:40 +01:00
pflash_cfi02.c hw/block/pflash_cfi02: Do not create aliases when not necessary 2021-05-11 18:11:02 +02:00
swim.c qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
tc58128.c hw/sh4: Add missing license 2021-03-06 16:18:42 +01:00
trace-events hw/block/fdc: Extract SysBus floppy controllers to fdc-sysbus.c 2021-06-25 08:53:28 -04:00
trace.h
vhost-user-blk.c hw/vhost-user-blk: turn on VIRTIO_BLK_F_SIZE_MAX feature for virtio blk device 2022-01-07 05:19:55 -05:00
virtio-blk.c coroutine: Rename qemu_coroutine_inc/dec_pool_size() 2022-05-12 12:20:45 +02:00
xen_blkif.h
xen-block.c xen-block: Use specific blockdev driver 2021-05-10 13:43:58 +01:00