Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end

From:	P J P
Subject:	Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Date:	Fri, 11 Dec 2020 19:46:35 +0530 (IST)

+-- On Fri, 11 Dec 2020, Paolo Bonzini wrote --+
| This is not the root cause.  These are the last steps before bad things 
| happen; the root cause is what _led_ to those last steps.  In this case, the 
| root cause is that a read request with s->lba == -1 is mistaken for a 
| non-read.  Read requests are able to reset s->io_buffer_index and start with 
| the index pointing just after the end of the sector buffer; non-read 
| requests instead visit the buffer just once and start with 
| s->io_buffer_index == 0.
| 
| In turn, the fix is to validate:
| 
| 1) that s->lba is in range when issuing a read request
| 
| 2) that the size of the device is sane (e.g. the number of blocks is a
| positive 32-bit integer).

  Yes, working on a revised patch...

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end, (continued)
- Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end, leonwxqian, 2020/12/11

Prev by Date: Re: [PATCH] gdbstub: Correct misparsing of vCont C/S requests
Next by Date: Re: [PATCH 3/3] virtiofsd: Check file type in lo_flush()
Previous by thread: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Next by thread: Re: [PATCH] ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Index(es):
- Date
- Thread