File CVE-2016-8909-qemuu-audio-intel-hda-infinite-loop-in-processing-dma-buffer-stream.patch of Package xen.11298

References: bsc#1007160 CVE-2016-8909

Subject: audio: intel-hda: check stream entry count during transfer
From: Prasad J Pandit pjp@fedoraproject.org Thu Oct 20 13:10:24 2016 +0530
Date: Wed Oct 26 14:51:44 2016 +0200:
Git: 0c0fc2b5fd534786051889459848764edd798050

Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/audio/intel-hda.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/audio/intel-hda.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/audio/intel-hda.c
@@ -413,7 +413,8 @@ static bool intel_hda_xfer(HDACodecDevic
     }
 
     left = len;
-    while (left > 0) {
+    s = st->bentries;
+    while (left > 0 && s-- > 0) {
         copy = left;
         if (copy > st->bsize - st->lpib)
             copy = st->bsize - st->lpib;