Created attachment 204401 [details] Proposed patch There is a possible infinite loop vulnerability in function empty_aux_buffer of sys/dev/atkbdc/atkbdc.c Some systems (Intel/IBM blades) do not have keyboard devices and will thus hang in the processure. void empty_aux_buffer(KBDC p, int wait) { int t; int b; int f; #if KBDIO_DEBUG >= 2 int c1 = 0; int c2 = 0; #endif int delta = 2; for (t = wait; t > 0; ) { if ((f = read_status(kbdcp(p))) & KBDS_ANY_BUFFER_FULL) { DELAY(KBDD_DELAYTIME); b = read_data(kbdcp(p)); if ((f & KBDS_BUFFER_FULL) == KBDS_KBD_BUFFER_FULL) { addq(&kbdcp(p)->kbd, b); #if KBDIO_DEBUG >= 2 ++c1; } else { ++c2; #endif } t = wait; } else { t -= delta; } DELAY(delta*1000); } #if KBDIO_DEBUG >= 2 if ((c1 > 0) || (c2 > 0)) log(LOG_DEBUG, "kbdc: %d:%d char read (empty_aux_buffer)\n", c1, c2); #endif emptyq(&kbdcp(p)->aux); } The attachment is the proposed patch that are copied from https://github.com/freebsd/freebsd/commit/3631541670c84a8731b46350daa30502edb0ca80
Note to clarify: Commit referenced in comment 0 is base r161969 by dwhite in empty_both_buffers() Patch here is for adding the same fix to empty_aux_buffer()
^Triage: convert this to text/plain and set the Patch flag so that the automation can see it. Apparently a similar patch needs to be applied elsewhere in the src code.
Comment on attachment 204401 [details] Proposed patch ^Triage: convert this to text/plain and set the Patch flag so that the automation can see it.