Date: Thu, 16 May 2019 12:34:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 237924] Possible infinite loop in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Message-ID: <bug-237924-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237924 Bug ID: 237924 Summary: Possible infinite loop in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204401 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204401&action= =3Dedit Proposed patch There is a possible infinite loop vulnerability in function empty_aux_buffe= r of=20 sys/dev/atkbdc/atkbdc.c Some systems (Intel/IBM blades) do not have keyboard devices and will thus = hang in the processure. void empty_aux_buffer(KBDC p, int wait) { int t; int b; int f; #if KBDIO_DEBUG >=3D 2 int c1 =3D 0; int c2 =3D 0; #endif int delta =3D 2; for (t =3D wait; t > 0; ) { if ((f =3D read_status(kbdcp(p))) & KBDS_ANY_BUFFER_FULL) { DELAY(KBDD_DELAYTIME); b =3D read_data(kbdcp(p)); if ((f & KBDS_BUFFER_FULL) =3D=3D KBDS_KBD_BUFFER_FULL) { addq(&kbdcp(p)->kbd, b); #if KBDIO_DEBUG >=3D 2 ++c1; } else { ++c2; #endif } t =3D wait; } else { t -=3D delta; } DELAY(delta*1000); } #if KBDIO_DEBUG >=3D 2 if ((c1 > 0) || (c2 > 0)) log(LOG_DEBUG, "kbdc: %d:%d char read (empty_aux_buffer)\n", c1, c2= ); #endif emptyq(&kbdcp(p)->aux); } The attachment is the proposed patch that are copied from https://github.com/freebsd/freebsd/commit/3631541670c84a8731b46350daa30502e= db0ca80 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237924-227>