* [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send
@ 2018-07-20 3:47 Peter Xu
2018-07-20 8:37 ` Juan Quintela
2018-07-24 15:59 ` Dr. David Alan Gilbert
0 siblings, 2 replies; 4+ messages in thread
From: Peter Xu @ 2018-07-20 3:47 UTC (permalink / raw)
To: qemu-devel; +Cc: Juan Quintela, Dr . David Alan Gilbert, peterx
I would guess it won't happen normally, but this should ease Coverity.
>>> CID 1394385: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "pages->used * 8192U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
854 transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
Fixes: CID 1394385
CC: Juan Quintela <quintela@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
migration/ram.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/migration/ram.c b/migration/ram.c
index 52dd678092..fdd108475c 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -851,7 +851,7 @@ static void multifd_send_pages(void)
p->pages->block = NULL;
multifd_send_state->pages = p->pages;
p->pages = pages;
- transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
+ transferred = ((uint64_t) pages->used) * TARGET_PAGE_SIZE + p->packet_len;
ram_counters.multifd_bytes += transferred;
ram_counters.transferred += transferred;;
qemu_mutex_unlock(&p->mutex);
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send
2018-07-20 3:47 [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send Peter Xu
@ 2018-07-20 8:37 ` Juan Quintela
2018-07-24 15:59 ` Dr. David Alan Gilbert
1 sibling, 0 replies; 4+ messages in thread
From: Juan Quintela @ 2018-07-20 8:37 UTC (permalink / raw)
To: Peter Xu; +Cc: qemu-devel, Dr . David Alan Gilbert
Peter Xu <peterx@redhat.com> wrote:
> I would guess it won't happen normally, but this should ease Coverity.
>
>>>> CID 1394385: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>> Potentially overflowing expression "pages->used * 8192U" with
>>>> type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit
>>>> arithmetic, and then used in a context that expects an expression
>>>> of type "uint64_t" (64 bits, unsigned).
> 854 transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
>
> Fixes: CID 1394385
> CC: Juan Quintela <quintela@redhat.com>
> Signed-off-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
a - I hate C promotion rules
b - why gcc don't warn me
c - it don't matter. If the size of the package is bigger than 4GB, we
have other problems already.
Thanks, Juan.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send
2018-07-20 3:47 [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send Peter Xu
2018-07-20 8:37 ` Juan Quintela
@ 2018-07-24 15:59 ` Dr. David Alan Gilbert
2018-07-24 16:06 ` Eric Blake
1 sibling, 1 reply; 4+ messages in thread
From: Dr. David Alan Gilbert @ 2018-07-24 15:59 UTC (permalink / raw)
To: Peter Xu; +Cc: qemu-devel, Juan Quintela
* Peter Xu (peterx@redhat.com) wrote:
> I would guess it won't happen normally, but this should ease Coverity.
>
> >>> CID 1394385: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> >>> Potentially overflowing expression "pages->used * 8192U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
> 854 transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
>
> Fixes: CID 1394385
> CC: Juan Quintela <quintela@redhat.com>
> Signed-off-by: Peter Xu <peterx@redhat.com>
Queued
> ---
> migration/ram.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/migration/ram.c b/migration/ram.c
> index 52dd678092..fdd108475c 100644
> --- a/migration/ram.c
> +++ b/migration/ram.c
> @@ -851,7 +851,7 @@ static void multifd_send_pages(void)
> p->pages->block = NULL;
> multifd_send_state->pages = p->pages;
> p->pages = pages;
> - transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
> + transferred = ((uint64_t) pages->used) * TARGET_PAGE_SIZE + p->packet_len;
> ram_counters.multifd_bytes += transferred;
> ram_counters.transferred += transferred;;
> qemu_mutex_unlock(&p->mutex);
> --
> 2.17.1
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send
2018-07-24 15:59 ` Dr. David Alan Gilbert
@ 2018-07-24 16:06 ` Eric Blake
0 siblings, 0 replies; 4+ messages in thread
From: Eric Blake @ 2018-07-24 16:06 UTC (permalink / raw)
To: Dr. David Alan Gilbert, Peter Xu; +Cc: qemu-devel, Juan Quintela
On 07/24/2018 10:59 AM, Dr. David Alan Gilbert wrote:
> * Peter Xu (peterx@redhat.com) wrote:
>> I would guess it won't happen normally, but this should ease Coverity.
>>
>> +++ b/migration/ram.c
>> @@ -851,7 +851,7 @@ static void multifd_send_pages(void)
>> p->pages->block = NULL;
>> multifd_send_state->pages = p->pages;
>> p->pages = pages;
>> - transferred = pages->used * TARGET_PAGE_SIZE + p->packet_len;
>> + transferred = ((uint64_t) pages->used) * TARGET_PAGE_SIZE + p->packet_len;
The outer () are not strictly necessary, as casts bind tighter than
multiply.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-07-24 16:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-20 3:47 [Qemu-devel] [PATCH] migration: fix potential overflow in multifd send Peter Xu
2018-07-20 8:37 ` Juan Quintela
2018-07-24 15:59 ` Dr. David Alan Gilbert
2018-07-24 16:06 ` Eric Blake
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.