File CVE-2015-5154-qemuu-clear-DRQ-after-handling-al... of Package xen.950

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch of Package xen.950

From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:41:27 +0200
Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses

This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 hw/ide/core.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

Index: xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
===================================================================
--- xen-4.4.2-testing.orig/tools/qemu-xen-dir-remote/hw/ide/core.c
+++ xen-4.4.2-testing/tools/qemu-xen-dir-remote/hw/ide/core.c
@@ -1907,8 +1907,10 @@ void ide_data_writew(void *opaque, uint3
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -1932,8 +1934,10 @@ uint32_t ide_data_readw(void *opaque, ui
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }
 
@@ -1957,8 +1961,10 @@ void ide_data_writel(void *opaque, uint3
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
 }
 
 uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -1982,8 +1988,10 @@ uint32_t ide_data_readl(void *opaque, ui
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
-    if (p >= s->data_end)
+    if (p >= s->data_end) {
+        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
+    }
     return ret;
 }

Places

File CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch of Package xen.950

Places