Which qemu versions does this CVE affect ?
Li Donglin > 发件人: qemu-devel-bounces+lidonglin=huawei....@nongnu.org > [mailto:qemu-devel-bounces+lidonglin=huawei....@nongnu.org] 代表 > Michael Roth > 发送时间: 2015年7月30日 19:33 > 收件人: qemu-devel@nongnu.org > 抄送: Paolo Bonzini; Petr Matousek; qemu-sta...@nongnu.org > 主题: [Qemu-devel] [PATCH 25/53] i8254: fix out-of-bounds memory access in > pit_ioport_read() > > From: Petr Matousek <pmato...@redhat.com> > > Due converting PIO to the new memory read/write api we no longer provide > separate I/O region lenghts for read and write operations. As a result, > reading > from PIT Mode/Command register will end with accessing > pit->channels with invalid index. > > Fix this by ignoring read from the Mode/Command register. > > This is CVE-2015-3214. > > Reported-by: Matt Tait <mattt...@google.com> > Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 > Cc: qemu-sta...@nongnu.org > Signed-off-by: Petr Matousek <pmato...@redhat.com> > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> (cherry picked from > commit d4862a87e31a51de9eb260f25c9e99a75efe3235) > Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com> > --- > hw/timer/i8254.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c index 3450c98..9b65a33 > 100644 > --- a/hw/timer/i8254.c > +++ b/hw/timer/i8254.c > @@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, > hwaddr addr, > PITChannelState *s; > > addr &= 3; > + > + if (addr == 3) { > + /* Mode/Command register is write only, read is ignored */ > + return 0; > + } > + > s = &pit->channels[addr]; > if (s->status_latched) { > s->status_latched = 0; > -- > 1.9.1 >
