Commit d4862a87 authored Jun 17, 2015 by Petr Matousek Committed by Paolo Bonzini Jun 17, 2015

i8254: fix out-of-bounds memory access in pit_ioport_read()



Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.

Fix this by ignoring read from the Mode/Command register.

This is CVE-2015-3214.

Reported-by: Matt Tait <matttait@google.com>
Fixes: 0505bcde
Cc: qemu-stable@nongnu.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 9dacf32d

hw/timer/i8254.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
		PITChannelState *s;

		addr &= 3;

		if (addr == 3) {
		/* Mode/Command register is write only, read is ignored */
		return 0;
		}

		s = &pit->channels[addr];
		if (s->status_latched) {
		s->status_latched = 0;