From: Max Reitz <mreitz@redhat.com>
To: qemu-block@nongnu.org
Cc: qemu-devel@nongnu.org, Max Reitz <mreitz@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PULL 15/15] block/parallels: Avoid overflows
Date: Mon, 3 Apr 2017 17:33:55 +0200 [thread overview]
Message-ID: <20170403153355.19722-16-mreitz@redhat.com> (raw)
In-Reply-To: <20170403153355.19722-1-mreitz@redhat.com>
Change the types of variables in allocate_clusters() to int64_t so we do
not have to worry about potential overflows.
Add an assertion that our accesses to s->bat[] do not result in a buffer
overflow and that the implicit conversion performed when invoking
bat_entry_off() does not result in an integer overflow.
Coverity-id: 1307776
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20170331170512.10381-1-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
block/parallels.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/block/parallels.c b/block/parallels.c
index 4173b3fb9d..90acf79687 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -192,8 +192,7 @@ static int64_t allocate_clusters(BlockDriverState *bs, int64_t sector_num,
int nb_sectors, int *pnum)
{
BDRVParallelsState *s = bs->opaque;
- uint32_t idx, to_allocate, i;
- int64_t pos, space;
+ int64_t pos, space, idx, to_allocate, i;
pos = block_status(s, sector_num, nb_sectors, pnum);
if (pos > 0) {
@@ -201,11 +200,19 @@ static int64_t allocate_clusters(BlockDriverState *bs, int64_t sector_num,
}
idx = sector_num / s->tracks;
- if (idx >= s->bat_size) {
- return -EINVAL;
- }
-
to_allocate = DIV_ROUND_UP(sector_num + *pnum, s->tracks) - idx;
+
+ /* This function is called only by parallels_co_writev(), which will never
+ * pass a sector_num at or beyond the end of the image (because the block
+ * layer never passes such a sector_num to that function). Therefore, idx
+ * is always below s->bat_size.
+ * block_status() will limit *pnum so that sector_num + *pnum will not
+ * exceed the image end. Therefore, idx + to_allocate cannot exceed
+ * s->bat_size.
+ * Note that s->bat_size is an unsigned int, therefore idx + to_allocate
+ * will always fit into a uint32_t. */
+ assert(idx < s->bat_size && idx + to_allocate <= s->bat_size);
+
space = to_allocate * s->tracks;
if (s->data_end + space > bdrv_getlength(bs->file->bs) >> BDRV_SECTOR_BITS) {
int ret;
--
2.12.1
next prev parent reply other threads:[~2017-04-03 15:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-03 15:33 [Qemu-devel] [PULL 00/15] Block patches for rc3 Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 01/15] block: add missed aio_context_acquire into release_drive Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 02/15] nbd sockets vnc: Mark problematic address family tests TODO Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 03/15] char: Fix socket with "type": "vsock" address Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 04/15] io vnc sockets: Clean up SocketAddressKind switches Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 05/15] block: Document -drive problematic code and bugs Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 06/15] gluster: Prepare for SocketAddressFlat extension Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 07/15] qapi-schema: SocketAddressFlat variants 'vsock' and 'fd' Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 08/15] sockets: New helper socket_address_crumple() Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 09/15] nbd: Tidy up blockdev-add interface Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 10/15] sheepdog: Fix blockdev-add Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 11/15] qemu-io-cmds: Assert that global and nofile commands don't use ct->perms Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 12/15] iotests: fix 097 when run with qcow Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 13/15] qcow2: Discard unaligned tail when wiping image Max Reitz
2017-04-03 15:33 ` [Qemu-devel] [PULL 14/15] iotests: Improve image-clear tests on non-aligned image Max Reitz
2017-04-03 15:33 ` Max Reitz [this message]
2017-04-03 16:48 ` [Qemu-devel] [PULL 00/15] Block patches for rc3 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170403153355.19722-16-mreitz@redhat.com \
--to=mreitz@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.