kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/sysutils/xentools42/patches/patch-CVE-2015-5154
spz fcf436606c Apply patches for XSA-128 to XSA-140 from upstream 
do a patch refresh in xentools42

rather than split the patches for pass-through.c over 5 files, delete
xentools42/patches/patch-CVE-2015-2756 and assemble all in
xentools42/patches/patch-qemu-xen-traditional_hw_pass-through.c
2015-08-23 16:17:12 +00:00

136 lines
3.4 KiB
Text
Raw Blame History

$NetBSD: patch-CVE-2015-5154,v 1.1 2015/08/23 16:17:12 spz Exp $
patch for CVE-2015-5154 aka XSA-138 from
http://xenbits.xen.org/xsa/xsa138-qemut-1.patch
http://xenbits.xen.org/xsa/xsa138-qemut-2.patch
http://xenbits.xen.org/xsa/xsa138-qemuu-1.patch
http://xenbits.xen.org/xsa/xsa138-qemuu-3.patch
--- qemu-xen/hw/ide/core.c.orig 2015-08-23 09:31:00.000000000 +0000
+++ qemu-xen/hw/ide/core.c
@@ -1666,8 +1666,10 @@ void ide_data_writew(void *opaque, uint3
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -1691,8 +1693,10 @@ uint32_t ide_data_readw(void *opaque, ui
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -1716,8 +1720,10 @@ void ide_data_writel(void *opaque, uint3
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -1741,8 +1747,10 @@ uint32_t ide_data_readl(void *opaque, ui
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
--- qemu-xen-traditional/hw/ide.c.orig 2014-01-09 12:44:42.000000000 +0000
+++ qemu-xen-traditional/hw/ide.c
@@ -3002,11 +3006,17 @@ static void ide_data_writew(void *opaque
buffered_pio_write(s, addr, 2);
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
static uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -3021,11 +3031,17 @@ static uint32_t ide_data_readw(void *opa
buffered_pio_read(s, addr, 2);
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -3040,11 +3056,17 @@ static void ide_data_writel(void *opaque
buffered_pio_write(s, addr, 4);
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
static uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -3059,11 +3081,17 @@ static uint32_t ide_data_readl(void *opa
buffered_pio_read(s, addr, 4);
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
Reference in a new issue View git blame Copy permalink