From 892af81380c9ba24a7c8582b5fae4d37a2e5cf47 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Tue, 23 Feb 2021 15:20:03 +0800 Subject: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end Fix CVE-2020-29443 During data transfer via packet command in 'ide_atapi_cmd_reply_end' 's->io_buffer_index' could exceed the 's->io_buffer' length, leading to OOB access issue. Add check to avoid it. ... #9 ahci_pio_transfer ../hw/ide/ahci.c:1383 #10 ide_transfer_start_norecurse ../hw/ide/core.c:553 #11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284 #12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329 #13 ide_atapi_cmd_read ../hw/ide/atapi.c:442 #14 cmd_read ../hw/ide/atapi.c:988 #15 ide_atapi_cmd ../hw/ide/atapi.c:1352 #16 ide_transfer_start ../hw/ide/core.c:561 #17 cmd_packet ../hw/ide/core.c:1729 #18 ide_exec_cmd ../hw/ide/core.c:2107 #19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267 #20 handle_cmd ../hw/ide/ahci.c:1318 #21 check_cmd ../hw/ide/ahci.c:592 #22 ahci_port_write ../hw/ide/ahci.c:373 #23 ahci_mem_write ../hw/ide/ahci.c:513 Reported-by: Wenxiang Qian Signed-off-by: Prasad J Pandit Signed-off-by: Jiajie Li --- hw/ide/atapi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c index 1b0f66cc08..fc9dc87f03 100644 --- a/hw/ide/atapi.c +++ b/hw/ide/atapi.c @@ -300,6 +300,9 @@ void ide_atapi_cmd_reply_end(IDEState *s) s->packet_transfer_size -= size; s->elementary_transfer_size -= size; s->io_buffer_index += size; + if (s->io_buffer_index > s->io_buffer_total_len) { + return; + } /* Some adapters process PIO data right away. In that case, we need * to avoid mutual recursion between ide_transfer_start -- Gitee