All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Blake <eblake@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>,
	qemu-block@nongnu.org
Cc: fam@euphon.net, kwolf@redhat.com, berto@igalia.com,
	qemu-devel@nongnu.org, mreitz@redhat.com, stefanha@redhat.com,
	den@openvz.org
Subject: Re: [PATCH v4 07/16] block/io: improve bdrv_check_request: check qiov too
Date: Fri, 22 Jan 2021 08:48:03 -0600	[thread overview]
Message-ID: <7a7dfe73-55f6-a380-4f1e-1d114dadb543@redhat.com> (raw)
In-Reply-To: <20201211183934.169161-8-vsementsov@virtuozzo.com>

On 12/11/20 12:39 PM, Vladimir Sementsov-Ogievskiy wrote:
> Operations with qiov add more restrictions on bytes, let's cover it.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> ---
>  block/io.c | 46 +++++++++++++++++++++++++++++++++++++++-------
>  1 file changed, 39 insertions(+), 7 deletions(-)
> 
> diff --git a/block/io.c b/block/io.c
> index 4a057660f8..42e687a388 100644
> --- a/block/io.c
> +++ b/block/io.c
> @@ -898,8 +898,14 @@ static bool coroutine_fn bdrv_wait_serialising_requests(BdrvTrackedRequest *self
>      return waited;
>  }
>  
> -int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp)
> +static int bdrv_check_qiov_request(int64_t offset, int64_t bytes,
> +                                   QEMUIOVector *qiov, size_t qiov_offset,
> +                                   Error **errp)
>  {
> +    /*
> +     * Check generic offset/bytes correctness
> +     */
> +
>      if (offset < 0) {
>          error_setg(errp, "offset is negative: %" PRIi64, offset);
>          return -EIO;
> @@ -929,12 +935,38 @@ int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp)
>          return -EIO;
>      }
>  
> +    if (!qiov) {
> +        return 0;
> +    }

I guess this short circuit is for write zeroes...

> +
> +    /*
> +     * Check qiov and qiov_offset
> +     */
> +
> +    if (qiov_offset > qiov->size) {
> +        error_setg(errp, "qiov_offset(%zu) overflow io vector size(%zu)",
> +                   qiov_offset, qiov->size);
> +        return -EIO;
> +    }
> +
> +    if (bytes > qiov->size - qiov_offset) {
> +        error_setg(errp, "bytes(%" PRIi64 ") + qiov_offset(%zu) overflow io "
> +                   "vector size(%zu)", bytes, qiov_offset, qiov->size);
> +        return -EIO;
> +    }

Yes, worthwhile additions.

> @@ -3135,7 +3167,7 @@ static int coroutine_fn bdrv_co_copy_range_internal(
>      if (!dst || !dst->bs || !bdrv_is_inserted(dst->bs)) {
>          return -ENOMEDIUM;
>      }
> -    ret = bdrv_check_request32(dst_offset, bytes);
> +    ret = bdrv_check_request32(dst_offset, bytes, NULL, 0);

...ah, it's also for copy_range; basically any caller that isn't using a
qiov and therefore can't overflow qiov bounds.

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



  reply	other threads:[~2021-01-22 14:49 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-11 18:39 [PATCH v4 00/16] 64bit block-layer: part I Vladimir Sementsov-Ogievskiy
2020-12-11 18:39 ` [PATCH v4 01/16] block: refactor bdrv_check_request: add errp Vladimir Sementsov-Ogievskiy
2021-01-20 22:20   ` Eric Blake
2021-01-22 19:33   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 02/16] util/iov: make qemu_iovec_init_extended() honest Vladimir Sementsov-Ogievskiy
2021-01-21 21:58   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 03/16] block: fix theoretical overflow in bdrv_init_padding() Vladimir Sementsov-Ogievskiy
2021-01-21 22:42   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 04/16] block/io: refactor bdrv_pad_request(): move bdrv_pad_request() up Vladimir Sementsov-Ogievskiy
2021-01-21 22:50   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 05/16] block/io: bdrv_pad_request(): support qemu_iovec_init_extended failure Vladimir Sementsov-Ogievskiy
2021-01-21 22:53   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 06/16] block/throttle-groups: throttle_group_co_io_limits_intercept(): 64bit bytes Vladimir Sementsov-Ogievskiy
2020-12-11 18:39 ` [PATCH v4 07/16] block/io: improve bdrv_check_request: check qiov too Vladimir Sementsov-Ogievskiy
2021-01-22 14:48   ` Eric Blake [this message]
2020-12-11 18:39 ` [PATCH v4 08/16] block: use int64_t as bytes type in tracked requests Vladimir Sementsov-Ogievskiy
2021-01-22 14:50   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 09/16] block/io: use int64_t bytes in driver wrappers Vladimir Sementsov-Ogievskiy
2021-01-22 16:02   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 10/16] block/io: support int64_t bytes in bdrv_co_do_pwrite_zeroes() Vladimir Sementsov-Ogievskiy
2021-01-22 16:18   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 11/16] block/io: support int64_t bytes in bdrv_aligned_pwritev() Vladimir Sementsov-Ogievskiy
2021-01-22 16:26   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 12/16] block/io: support int64_t bytes in bdrv_co_do_copy_on_readv() Vladimir Sementsov-Ogievskiy
2021-01-22 16:34   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 13/16] block/io: support int64_t bytes in bdrv_aligned_preadv() Vladimir Sementsov-Ogievskiy
2021-01-22 16:54   ` Eric Blake
2021-01-23 14:34     ` Vladimir Sementsov-Ogievskiy
2020-12-11 18:39 ` [PATCH v4 14/16] block/io: support int64_t bytes in bdrv_co_p{read, write}v_part() Vladimir Sementsov-Ogievskiy via
2021-01-22 17:00   ` [PATCH v4 14/16] block/io: support int64_t bytes in bdrv_co_p{read,write}v_part() Eric Blake
2020-12-11 18:39 ` [PATCH v4 15/16] block/io: support int64_t bytes in read/write wrappers Vladimir Sementsov-Ogievskiy
2021-01-22 17:22   ` Eric Blake
2020-12-11 18:39 ` [PATCH v4 16/16] block/io: use int64_t bytes in copy_range Vladimir Sementsov-Ogievskiy
2021-01-22 18:29   ` Eric Blake
2020-12-14 11:51 ` [PATCH v4 00/16] 64bit block-layer: part I Vladimir Sementsov-Ogievskiy
2021-01-09 10:13 ` Vladimir Sementsov-Ogievskiy
2021-02-02  2:56 ` Eric Blake
2021-02-02  6:50   ` Vladimir Sementsov-Ogievskiy
2021-02-02 14:59   ` Eric Blake
2021-02-02 16:13   ` iotest failures in head [was: [PATCH v4 00/16] 64bit block-layer: part I] Eric Blake
2021-02-02 16:23     ` Kevin Wolf
2021-02-02 16:29       ` Vladimir Sementsov-Ogievskiy
2021-02-02 18:50         ` Vladimir Sementsov-Ogievskiy
2021-02-02 22:47         ` Peter Maydell
2021-02-03 10:45           ` Peter Maydell
2021-02-04 15:18             ` Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7a7dfe73-55f6-a380-4f1e-1d114dadb543@redhat.com \
    --to=eblake@redhat.com \
    --cc=berto@igalia.com \
    --cc=den@openvz.org \
    --cc=fam@euphon.net \
    --cc=kwolf@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=vsementsov@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.