]> git.proxmox.com Git - pve-qemu-kvm.git/blob - debian/patches/xsa138-qemuu-3.patch
projects / pve-qemu-kvm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add patches for CVE-2015-5154
[pve-qemu-kvm.git] / debian / patches / xsa138-qemuu-3.patch
1 From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
2 From: Kevin Wolf <kwolf@redhat.com>
3 Date: Wed, 3 Jun 2015 14:41:27 +0200
4 Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
5
6 This is additional hardening against an end_transfer_func that fails to
7 clear the DRQ status bit. The bit must be unset as soon as the PIO
8 transfer has completed, so it's better to do this in a central place
9 instead of duplicating the code in all commands (and forgetting it in
10 some).
11
12 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
13 ---
14 hw/ide/core.c | 16 ++++++++++++----
15 1 file changed, 12 insertions(+), 4 deletions(-)
16
17 diff --git a/hw/ide/core.c b/hw/ide/core.c
18 index 44fcc23..50449ca 100644
19 --- a/hw/ide/core.c
20 +++ b/hw/ide/core.c
21 @@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
22 *(uint16_t *)p = le16_to_cpu(val);
23 p += 2;
24 s->data_ptr = p;
25 - if (p >= s->data_end)
26 + if (p >= s->data_end) {
27 + s->status &= ~DRQ_STAT;
28 s->end_transfer_func(s);
29 + }
30 }
31
32 uint32_t ide_data_readw(void *opaque, uint32_t addr)
33 @@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
34 ret = cpu_to_le16(*(uint16_t *)p);
35 p += 2;
36 s->data_ptr = p;
37 - if (p >= s->data_end)
38 + if (p >= s->data_end) {
39 + s->status &= ~DRQ_STAT;
40 s->end_transfer_func(s);
41 + }
42 return ret;
43 }
44
45 @@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
46 *(uint32_t *)p = le32_to_cpu(val);
47 p += 4;
48 s->data_ptr = p;
49 - if (p >= s->data_end)
50 + if (p >= s->data_end) {
51 + s->status &= ~DRQ_STAT;
52 s->end_transfer_func(s);
53 + }
54 }
55
56 uint32_t ide_data_readl(void *opaque, uint32_t addr)
57 @@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
58 ret = cpu_to_le32(*(uint32_t *)p);
59 p += 4;
60 s->data_ptr = p;
61 - if (p >= s->data_end)
62 + if (p >= s->data_end) {
63 + s->status &= ~DRQ_STAT;
64 s->end_transfer_func(s);
65 + }
66 return ret;
67 }
68
69 --
70 1.8.3.1
71
old QEMU for PVE