All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer
@ 2016-10-20  7:40 P J P
  2016-10-20  9:37 ` Stefan Hajnoczi
  2016-10-26 12:48 ` Gerd Hoffmann
  0 siblings, 2 replies; 3+ messages in thread
From: P J P @ 2016-10-20  7:40 UTC (permalink / raw)
  To: Qemu Developers; +Cc: Gerd Hoffmann, Huawei PSIRT, Prasad J Pandit

From: Prasad J Pandit <pjp@fedoraproject.org>

Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/audio/intel-hda.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
     }
 
     left = len;
-    while (left > 0) {
+    s = st->bentries;
+    while (left > 0 && s-- > 0) {
         copy = left;
         if (copy > st->bsize - st->lpib)
             copy = st->bsize - st->lpib;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer
  2016-10-20  7:40 [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer P J P
@ 2016-10-20  9:37 ` Stefan Hajnoczi
  2016-10-26 12:48 ` Gerd Hoffmann
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2016-10-20  9:37 UTC (permalink / raw)
  To: P J P; +Cc: Qemu Developers, Huawei PSIRT, Gerd Hoffmann, Prasad J Pandit

[-- Attachment #1: Type: text/plain, Size: 686 bytes --]

On Thu, Oct 20, 2016 at 01:10:24PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> Intel HDA emulator uses stream of buffers during DMA data
> transfers. Each entry has buffer length and buffer pointer
> position, which are used to derive bytes to 'copy'. If this
> length and buffer pointer were to be same, 'copy' could be
> set to zero(0), leading to an infinite loop. Add check to
> avoid it.
> 
> Reported-by: Huawei PSIRT <psirt@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/audio/intel-hda.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer
  2016-10-20  7:40 [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer P J P
  2016-10-20  9:37 ` Stefan Hajnoczi
@ 2016-10-26 12:48 ` Gerd Hoffmann
  1 sibling, 0 replies; 3+ messages in thread
From: Gerd Hoffmann @ 2016-10-26 12:48 UTC (permalink / raw)
  To: P J P; +Cc: Qemu Developers, Huawei PSIRT, Prasad J Pandit

On Do, 2016-10-20 at 13:10 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> Intel HDA emulator uses stream of buffers during DMA data
> transfers. Each entry has buffer length and buffer pointer
> position, which are used to derive bytes to 'copy'. If this
> length and buffer pointer were to be same, 'copy' could be
> set to zero(0), leading to an infinite loop. Add check to
> avoid it.
> 
> Reported-by: Huawei PSIRT <psirt@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Added to audio patch queue.

thanks,
  Gerd

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-26 12:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-20  7:40 [Qemu-devel] [PATCH] audio: intel-hda: check stream entry count during transfer P J P
2016-10-20  9:37 ` Stefan Hajnoczi
2016-10-26 12:48 ` Gerd Hoffmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.