rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
qemu/0018-audio-intel-hda-check-...

36 lines
1.3 KiB
Diff
Raw Normal View History

CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) Infinite loop vulnerability in a9_gtimer_update (bz #1388300) CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285)
2017-01-16 21:04:06 +00:00
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 20 Oct 2016 13:10:24 +0530
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;