diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2018-11-19 14:31:48 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2018-11-19 14:31:48 +0000 |
| commit | e6ebbd46b6e539f3613136111977721d212c2812 (patch) | |
| tree | 760811e8b5928efe654de6c95cf798baeeae0ed6 /hw | |
| parent | 9436e082de18b2fb2ceed2e9d1beef641ae64f23 (diff) | |
| parent | 6d0a4a0fb5c8f10c8eb68b52cfda0082b00ae963 (diff) | |
| download | focaccia-qemu-e6ebbd46b6e539f3613136111977721d212c2812.tar.gz focaccia-qemu-e6ebbd46b6e539f3613136111977721d212c2812.zip | |
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches: - file-posix: Fix shared permission locks after reopen - block: Fix error path for failed .bdrv_reopen_prepare - qcow2: Catch invalid allocations when the image becomes too large - vvfat/fdc/nvme: Fix segfaults and leaks # gpg: Signature made Mon 19 Nov 2018 14:28:18 GMT # gpg: using RSA key 7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: iotests: Test file-posix locking and reopen file-posix: Fix shared locks on reopen commit block: Always abort reopen after prepare succeeded iotests: Add new test 220 for max compressed cluster offset qcow2: Don't allow overflow during cluster allocation qcow2: Document some maximum size constraints vvfat: Fix memory leak fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled nvme: fix oob access issue(CVE-2018-16847) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/block/fdc.c | 2 | ||||
| -rw-r--r-- | hw/block/nvme.c | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/hw/block/fdc.c b/hw/block/fdc.c index 2e9c1e1e2f..6f19f127a5 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -1617,7 +1617,7 @@ static void fdctrl_stop_transfer(FDCtrl *fdctrl, uint8_t status0, fdctrl->fifo[5] = cur_drv->sect; fdctrl->fifo[6] = FD_SECTOR_SC; fdctrl->data_dir = FD_DIR_READ; - if (!(fdctrl->msr & FD_MSR_NONDMA)) { + if (fdctrl->dma_chann != -1 && !(fdctrl->msr & FD_MSR_NONDMA)) { IsaDmaClass *k = ISADMA_GET_CLASS(fdctrl->dma); k->release_DREQ(fdctrl->dma, fdctrl->dma_chann); } diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 09d7c90259..d0226e7fdc 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -1175,6 +1175,10 @@ static void nvme_cmb_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) { NvmeCtrl *n = (NvmeCtrl *)opaque; + + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return; + } memcpy(&n->cmbuf[addr], &data, size); } @@ -1183,6 +1187,9 @@ static uint64_t nvme_cmb_read(void *opaque, hwaddr addr, unsigned size) uint64_t val; NvmeCtrl *n = (NvmeCtrl *)opaque; + if (addr + size > NVME_CMBSZ_GETSIZE(n->bar.cmbsz)) { + return 0; + } memcpy(&val, &n->cmbuf[addr], size); return val; } |