[Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer
@ 2016-10-27 14:32 Gerd Hoffmann
  2016-10-27 14:32 ` [Qemu-devel] [PULL 1/1] " Gerd Hoffmann
  2016-10-27 18:22 ` [Qemu-devel] [PULL 0/1] " Peter Maydell
  0 siblings, 2 replies; 3+ messages in thread
From: Gerd Hoffmann @ 2016-10-27 14:32 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

  Hi,

Audio patch queue with a single intel hda bugfix.

please pull,
  Gerd

The following changes since commit ede0cbeb7892bdf4a19128853a3a3c61a17fb068:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2016-10-25' into staging (2016-10-25 17:03:11 +0100)

are available in the git repository at:


  git://git.kraxel.org/qemu tags/pull-audio-20161027-1

for you to fetch changes up to 0c0fc2b5fd534786051889459848764edd798050:

  audio: intel-hda: check stream entry count during transfer (2016-10-26 14:51:44 +0200)

----------------------------------------------------------------
audio: intel-hda: check stream entry count during transfer

----------------------------------------------------------------
Prasad J Pandit (1):
      audio: intel-hda: check stream entry count during transfer

 hw/audio/intel-hda.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PULL 1/1] audio: intel-hda: check stream entry count during transfer
  2016-10-27 14:32 [Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer Gerd Hoffmann
@ 2016-10-27 14:32 ` Gerd Hoffmann
  2016-10-27 18:22 ` [Qemu-devel] [PULL 0/1] " Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Gerd Hoffmann @ 2016-10-27 14:32 UTC (permalink / raw)
  To: qemu-devel; +Cc: Prasad J Pandit, Gerd Hoffmann

From: Prasad J Pandit <pjp@fedoraproject.org>

Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/audio/intel-hda.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
     }
 
     left = len;
-    while (left > 0) {
+    s = st->bentries;
+    while (left > 0 && s-- > 0) {
         copy = left;
         if (copy > st->bsize - st->lpib)
             copy = st->bsize - st->lpib;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer
  2016-10-27 14:32 [Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer Gerd Hoffmann
  2016-10-27 14:32 ` [Qemu-devel] [PULL 1/1] " Gerd Hoffmann
@ 2016-10-27 18:22 ` Peter Maydell
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2016-10-27 18:22 UTC (permalink / raw)
  To: Gerd Hoffmann; +Cc: QEMU Developers

On 27 October 2016 at 15:32, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> Audio patch queue with a single intel hda bugfix.
>
> please pull,
>   Gerd
>
> The following changes since commit ede0cbeb7892bdf4a19128853a3a3c61a17fb068:
>
>   Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2016-10-25' into staging (2016-10-25 17:03:11 +0100)
>
> are available in the git repository at:
>
>
>   git://git.kraxel.org/qemu tags/pull-audio-20161027-1
>
> for you to fetch changes up to 0c0fc2b5fd534786051889459848764edd798050:
>
>   audio: intel-hda: check stream entry count during transfer (2016-10-26 14:51:44 +0200)
>
> ----------------------------------------------------------------
> audio: intel-hda: check stream entry count during transfer
>
> ----------------------------------------------------------------
> Prasad J Pandit (1):
>       audio: intel-hda: check stream entry count during transfer
>

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-10-27 18:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-27 14:32 [Qemu-devel] [PULL 0/1] audio: intel-hda: check stream entry count during transfer Gerd Hoffmann
2016-10-27 14:32 ` [Qemu-devel] [PULL 1/1] " Gerd Hoffmann
2016-10-27 18:22 ` [Qemu-devel] [PULL 0/1] " Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).