christoph/fail
1
Fork 0
Code Releases Activity

bochs: backport PCI IDE buffer-overflow fix

Browse Source 
Upstream SVN r10244: "Fixed possible buffer overflow causing segfault
or memory corruption. The buffers are not large enough for the maximum
sector count in LBA48 mode. Now resetting buffer pointers after
processing a PRD (and move remaining data if necessary). This should
fix the SF bug items #3190970 and #3077616."

This happened to us when booting Debian 8 with a Linux 3.16 kernel
from "flat" or "volatile" disk images, in the end corrupting the VGA
card's ("theVga") internal state and segfaulting.

Change-Id: I6a80432093a547dc2eb5270845369d0918e1e49b
This commit is contained in:
Horst Schirmeier
2016-08-06 16:12:40 +02:00
parent 436930de71
commit a2798cc2bf
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
simulators/bochs/iodev/pci_ide.cc
View File

@ -301,6 +301,14 @@ void bx_pci_ide_c::timer()
BX_PIDE_THIS s.bmdma[channel].prd_current = 0;
DEV_hd_bmdma_complete(channel);
} else {
// To avoid buffer overflow reset buffer pointers and copy data if necessary
count = BX_PIDE_THIS s.bmdma[channel].buffer_top - BX_PIDE_THIS s.bmdma[channel].buffer_idx;
if (count > 0) {
memcpy(BX_PIDE_THIS s.bmdma[channel].buffer, BX_PIDE_THIS s.bmdma[channel].buffer_idx, count);
}
BX_PIDE_THIS s.bmdma[channel].buffer_top = BX_PIDE_THIS s.bmdma[channel].buffer + count;
BX_PIDE_THIS s.bmdma[channel].buffer_idx = BX_PIDE_THIS s.bmdma[channel].buffer;
// Prepare for next PRD
BX_PIDE_THIS s.bmdma[channel].prd_current += 8;
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current, 4, (Bit8u *)&prd.addr);
DEV_MEM_READ_PHYSICAL(BX_PIDE_THIS s.bmdma[channel].prd_current+4, 4, (Bit8u *)&prd.size);