[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch

From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 20 Oct 2016 13:10:24 +0530
Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
 transfer

Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/audio/intel-hda.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
     }
 
     left = len;
-    while (left > 0) {
+    s = st->bentries;
+    while (left > 0 && s-- > 0) {
         copy = left;
         if (copy > st->bsize - st->lpib)
             copy = st->bsize - st->lpib;
-- 
2.1.4
Commit	Line	Data
d37b5565 WB	1	From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Thu, 20 Oct 2016 13:10:24 +0530
	4	Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
	5	transfer
	6
	7	Intel HDA emulator uses stream of buffers during DMA data
	8	transfers. Each entry has buffer length and buffer pointer
	9	position, which are used to derive bytes to 'copy'. If this
	10	length and buffer pointer were to be same, 'copy' could be
	11	set to zero(0), leading to an infinite loop. Add check to
	12	avoid it.
	13
	14	Reported-by: Huawei PSIRT <psirt@huawei.com>
	15	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	16	Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
	17	Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
	18	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	19	---
	20	hw/audio/intel-hda.c \| 3 ++-
	21	1 file changed, 2 insertions(+), 1 deletion(-)
	22
	23	diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
	24	index cd95340..537face 100644
	25	--- a/hw/audio/intel-hda.c
	26	+++ b/hw/audio/intel-hda.c
	27	@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
	28	}
	29
	30	left = len;
	31	- while (left > 0) {
	32	+ s = st->bentries;
	33	+ while (left > 0 && s-- > 0) {
	34	copy = left;
	35	if (copy > st->bsize - st->lpib)
	36	copy = st->bsize - st->lpib;
	37	--
	38	2.1.4
	39