From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JJtji-0004Q5-7A
	for qemu-devel@nongnu.org; Tue, 29 Jan 2008 11:55:02 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JJtje-0004Ou-Jn
	for qemu-devel@nongnu.org; Tue, 29 Jan 2008 11:55:00 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JJtje-0004Or-E3
	for qemu-devel@nongnu.org; Tue, 29 Jan 2008 11:54:58 -0500
Received: from comtv.ru ([217.10.32.17])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <av1474@comtv.ru>) id 1JJtjd-0006nv-V9
	for qemu-devel@nongnu.org; Tue, 29 Jan 2008 11:54:58 -0500
Received: from av1474.oops ([10.0.66.9] verified)
	by comtv.ru (CommuniGate Pro SMTP 4.1.8)
	with ESMTP-TLS id 41471586 for qemu-devel@nongnu.org;
	Tue, 29 Jan 2008 19:54:34 +0300
Date: Tue, 29 Jan 2008 19:54:09 +0300 (MSK)
From: malc <av1474@comtv.ru>
Subject: Re: [Qemu-devel] [PATCH] Fix an infinite loop in the emulated SB16
	device
In-Reply-To: <20080128193009.GA19255@volta.aurel32.net>
Message-ID: <Pine.LNX.4.64.0801291945400.2124@linmac.oyster.ru>
References: <20080128193009.GA19255@volta.aurel32.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On Mon, 28 Jan 2008, Aurelien Jarno wrote:

> This patch from Tavis Ormandy <taviso@google.com> fixes an infinite
> loop in the emulated SB16 device.
>
> See http://taviso.decsystem.org/virtsec.pdf for more details.
> ---
> hw/sb16.c |    6 ++++--
> 1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/sb16.c b/hw/sb16.c
> index c22de7a..b2a3a70 100644
> --- a/hw/sb16.c
> +++ b/hw/sb16.c
> @@ -1246,8 +1246,10 @@ static int SB_read_DMA (void *opaque, int nchan, int dma_pos, int dma_len)
>             s->block_size);
> #endif
>
> -    while (s->left_till_irq <= 0) {
> -        s->left_till_irq = s->block_size + s->left_till_irq;
> +    if (s->block_size) {
> +        while (s->left_till_irq <= 0) {
> +            s->left_till_irq = s->block_size + s->left_till_irq;
> +        }
>     }
>
>     return dma_pos;

This was fixed by commit 'Mon Jan 14 04:24:29 2008 UTC (2 weeks, 1 day 
ago) by balrog', and the fix is elaborated on in:

http://lists.gnu.org/archive/html/qemu-devel/2007-05/msg00038.html
http://lists.gnu.org/archive/html/qemu-devel/2007-05/msg00019.html

-- 
mailto:av1474@comtv.ru