debian/patches/extra/CVE-2016-8909-audio-intel-hda-check-stream-entry-count-during-tran.patch

   1 From ad0e6e88e0432aa1e6c75f52a6b3b4bf463e2563 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Thu, 20 Oct 2016 13:10:24 +0530
   4 Subject: [PATCH 1/8] audio: intel-hda: check stream entry count during
   5  transfer
   6
   7 Intel HDA emulator uses stream of buffers during DMA data
   8 transfers. Each entry has buffer length and buffer pointer
   9 position, which are used to derive bytes to 'copy'. If this
  10 length and buffer pointer were to be same, 'copy' could be
  11 set to zero(0), leading to an infinite loop. Add check to
  12 avoid it.
  13
  14 Reported-by: Huawei PSIRT <psirt@huawei.com>
  15 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  16 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
  17 Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
  18 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  19 ---
  20  hw/audio/intel-hda.c | 3 ++-
  21  1 file changed, 2 insertions(+), 1 deletion(-)
  22
  23 diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
  24 index cd95340..537face 100644
  25 --- a/hw/audio/intel-hda.c
  26 +++ b/hw/audio/intel-hda.c
  27 @@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
  28      }
  29
  30      left = len;
  31 -    while (left > 0) {
  32 +    s = st->bentries;
  33 +    while (left > 0 && s-- > 0) {
  34          copy = left;
  35          if (copy > st->bsize - st->lpib)
  36              copy = st->bsize - st->lpib;
  37 --
  38 2.1.4
  39