Date: Thu, 16 May 2019 12:34:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 237924] Possible infinite loop in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Message-ID: <bug-237924-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237924 Bug ID: 237924 Summary: Possible infinite loop in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204401 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204401&action=edit Proposed patch There is a possible infinite loop vulnerability in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Some systems (Intel/IBM blades) do not have keyboard devices and will thus hang in the processure. void empty_aux_buffer(KBDC p, int wait) { int t; int b; int f; #if KBDIO_DEBUG >= 2 int c1 = 0; int c2 = 0; #endif int delta = 2; for (t = wait; t > 0; ) { if ((f = read_status(kbdcp(p))) & KBDS_ANY_BUFFER_FULL) { DELAY(KBDD_DELAYTIME); b = read_data(kbdcp(p)); if ((f & KBDS_BUFFER_FULL) == KBDS_KBD_BUFFER_FULL) { addq(&kbdcp(p)->kbd, b); #if KBDIO_DEBUG >= 2 ++c1; } else { ++c2; #endif } t = wait; } else { t -= delta; } DELAY(delta*1000); } #if KBDIO_DEBUG >= 2 if ((c1 > 0) || (c2 > 0)) log(LOG_DEBUG, "kbdc: %d:%d char read (empty_aux_buffer)\n", c1, c2); #endif emptyq(&kbdcp(p)->aux); } The attachment is the proposed patch that are copied from https://github.com/freebsd/freebsd/commit/3631541670c84a8731b46350daa30502edb0ca80 -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237924-227>