+-- On Wed, 18 Nov 2020, P J P wrote --+
| During data transfer via packet command in 'ide_atapi_cmd_reply_end'
| 's->io_buffer_index' could exceed the 's->io_buffer' length, leading
| to OOB access issue. Add check to avoid it.
| ...
| #9 ahci_pio_transfer ../hw/ide/ahci.c:1383
| #10 ide_transfer_start_norecurse ../hw/ide/core.c:553
| #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
| #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
| #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
| #14 cmd_read ../hw/ide/atapi.c:988
| #15 ide_atapi_cmd ../hw/ide/atapi.c:1352
| #16 ide_transfer_start ../hw/ide/core.c:561
| #17 cmd_packet ../hw/ide/core.c:1729
| #18 ide_exec_cmd ../hw/ide/core.c:2107
| #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
| #20 handle_cmd ../hw/ide/ahci.c:1318
| #21 check_cmd ../hw/ide/ahci.c:592
| #22 ahci_port_write ../hw/ide/ahci.c:373
| #23 ahci_mem_write ../hw/ide/ahci.c:513
|
| Reported-by: Wenxiang Qian <leonwxq...@gmail.com>
| Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
| ---
| hw/ide/atapi.c | 3 +++
| 1 file changed, 3 insertions(+)
|
| diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
| index 14a2b0bb2f..b991947c5c 100644
| --- a/hw/ide/atapi.c
| +++ b/hw/ide/atapi.c
| @@ -276,6 +276,9 @@ void ide_atapi_cmd_reply_end(IDEState *s)
| s->packet_transfer_size -= size;
| s->elementary_transfer_size -= size;
| s->io_buffer_index += size;
| + if (s->io_buffer_index > s->io_buffer_total_len) {
| + return;
| + }
|
| /* Some adapters process PIO data right away. In that case, we need
| * to avoid mutual recursion between ide_transfer_start
|
Ping...!
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
