From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49338) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YYsYl-0002OY-64 for qemu-devel@nongnu.org; Fri, 20 Mar 2015 04:45:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YYsYh-0007m5-VF for qemu-devel@nongnu.org; Fri, 20 Mar 2015 04:45:39 -0400 Date: Fri, 20 Mar 2015 08:45:32 +0000 From: "Richard W.M. Jones" Message-ID: <20150320084532.GE11603@redhat.com> References: <1426821116-16617-1-git-send-email-david@gibson.dropbear.id.au> <1426821116-16617-3-git-send-email-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1426821116-16617-3-git-send-email-david@gibson.dropbear.id.au> Subject: Re: [Qemu-devel] [PATCH 2/2] i6300esb: Fix signed integer overflow List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: David Gibson Cc: qemu-devel@nongnu.org, qemu-ppc@nongnu.org, agraf@suse.de, mst@redhat.com On Fri, Mar 20, 2015 at 02:11:56PM +1100, David Gibson wrote: > If the guest programs a sufficiently large timeout value an integer > overflow can occur in i6300esb_restart_timer(). e.g. if the maximum > possible timer preload value of 0xfffff is programmed then we end up with > the calculation: > > timeout = get_ticks_per_sec() * (0xfffff << 15) / 33000000; > > get_ticks_per_sec() returns 1000000000 (10^9) giving: > > 10^9 * (0xfffff * 2^15) == 0x1dcd632329b000000 (65 bits) > > Obviously the division by 33MHz brings it back under 64-bits, but the > overflow has already occurred. > > Since signed integer overflow has undefined behaviour in C, in theory this > could be arbitrarily bad. In practice, the overflowed value wraps around > to something negative, causing the watchdog to immediately expire, killing > the guest, which is still fairly bad. > > The bug can be triggered by running a Linux guest, loading the i6300esb > driver with parameter "heartbeat=2046" and opening /dev/watchdog. The > watchdog will trigger as soon as the device is opened. > > This patch corrects the problem by using an __int128_t temporary. With > suitable rearrangement of the calculations, I expect it would be possible > to avoid the __int128_t. But since we already use __int128_t extensively > in the memory region code, and this is not a hot path, the super-wide > integer seems like the simplest approach. > > Signed-off-by: David Gibson > --- > hw/watchdog/wdt_i6300esb.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c > index e694fa9..11728af 100644 > --- a/hw/watchdog/wdt_i6300esb.c > +++ b/hw/watchdog/wdt_i6300esb.c > @@ -125,8 +125,14 @@ static void i6300esb_restart_timer(I6300State *d, int stage) > else > timeout <<= 5; > > - /* Get the timeout in units of ticks_per_sec. */ > - timeout = get_ticks_per_sec() * timeout / 33000000; > + /* Get the timeout in units of ticks_per_sec. > + * > + * ticks_per_sec is typically 10^9 == 0x3B9ACA00 (30 bits), with > + * 20 bits of user supplied preload, and 15 bits of scale, the > + * multiply here can exceed 64-bits, before we divide by 33MHz, so > + * we use a 128-bit temporary > + */ > + timeout = (__int128_t)get_ticks_per_sec() * timeout / 33000000; > > i6300esb_debug("stage %d, timeout %" PRIi64 "\n", d->stage, timeout); > > -- > 2.1.0 Reviewed-by: Richard W.M. Jones Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/