* [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow
@ 2018-05-08 21:27 Eric Blake
2018-05-10 1:44 ` Philippe Mathieu-Daudé
2018-05-10 13:28 ` Paolo Bonzini
0 siblings, 2 replies; 4+ messages in thread
From: Eric Blake @ 2018-05-08 21:27 UTC (permalink / raw)
To: qemu-devel
Cc: qemu-stable, Ronnie Sahlberg, Paolo Bonzini, Peter Lieven,
Kevin Wolf, Max Reitz, open list:iSCSI
Detected by Coverity: Multiplying two 32-bit int and assigning
the result to a 64-bit number is a risk of overflow. Prior to
the conversion to byte-based interfaces, the block layer took
care of ensuring that a status request never exceeded 2G in
the driver; but after that conversion, the block layer expects
drivers to deal with any size request (the driver can always
truncate the request size back down, as long as it makes
progress). So, in the off-chance that someone makes a large
request, we are at the mercy of whether iscsi_get_lba_status_task()
will cap things to at most INT_MAX / iscsilun->block_size when
it populates lbasd->num_blocks; since I could not easily audit
that, it's better to be safe than sorry by just forcing a 64-bit
multiply.
Fixes: 92809c36
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
---
block/iscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/iscsi.c b/block/iscsi.c
index 35423ded03b..a6311b9a320 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -732,7 +732,7 @@ retry:
goto out_unlock;
}
- *pnum = lbasd->num_blocks * iscsilun->block_size;
+ *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
--
2.14.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow
2018-05-08 21:27 [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow Eric Blake
@ 2018-05-10 1:44 ` Philippe Mathieu-Daudé
2018-05-10 13:28 ` Paolo Bonzini
1 sibling, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-05-10 1:44 UTC (permalink / raw)
To: Eric Blake, qemu-devel
Cc: Kevin Wolf, open list:iSCSI, Peter Lieven, qemu-stable,
Max Reitz, Ronnie Sahlberg, Paolo Bonzini
[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]
On 05/08/2018 06:27 PM, Eric Blake wrote:
> Detected by Coverity: Multiplying two 32-bit int and assigning
> the result to a 64-bit number is a risk of overflow. Prior to
> the conversion to byte-based interfaces, the block layer took
> care of ensuring that a status request never exceeded 2G in
> the driver; but after that conversion, the block layer expects
> drivers to deal with any size request (the driver can always
> truncate the request size back down, as long as it makes
> progress). So, in the off-chance that someone makes a large
> request, we are at the mercy of whether iscsi_get_lba_status_task()
> will cap things to at most INT_MAX / iscsilun->block_size when
> it populates lbasd->num_blocks; since I could not easily audit
> that, it's better to be safe than sorry by just forcing a 64-bit
> multiply.
:)
>
> Fixes: 92809c36
> CC: qemu-stable@nongnu.org
> Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> block/iscsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/iscsi.c b/block/iscsi.c
> index 35423ded03b..a6311b9a320 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -732,7 +732,7 @@ retry:
> goto out_unlock;
> }
>
> - *pnum = lbasd->num_blocks * iscsilun->block_size;
> + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
>
> if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
> lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow
2018-05-08 21:27 [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow Eric Blake
2018-05-10 1:44 ` Philippe Mathieu-Daudé
@ 2018-05-10 13:28 ` Paolo Bonzini
2018-06-28 18:58 ` Eric Blake
1 sibling, 1 reply; 4+ messages in thread
From: Paolo Bonzini @ 2018-05-10 13:28 UTC (permalink / raw)
To: Eric Blake, qemu-devel
Cc: qemu-stable, Ronnie Sahlberg, Peter Lieven, Kevin Wolf,
Max Reitz, open list:iSCSI
On 08/05/2018 23:27, Eric Blake wrote:
> Detected by Coverity: Multiplying two 32-bit int and assigning
> the result to a 64-bit number is a risk of overflow. Prior to
> the conversion to byte-based interfaces, the block layer took
> care of ensuring that a status request never exceeded 2G in
> the driver; but after that conversion, the block layer expects
> drivers to deal with any size request (the driver can always
> truncate the request size back down, as long as it makes
> progress). So, in the off-chance that someone makes a large
> request, we are at the mercy of whether iscsi_get_lba_status_task()
> will cap things to at most INT_MAX / iscsilun->block_size when
> it populates lbasd->num_blocks; since I could not easily audit
> that, it's better to be safe than sorry by just forcing a 64-bit
> multiply.
>
> Fixes: 92809c36
> CC: qemu-stable@nongnu.org
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> block/iscsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/iscsi.c b/block/iscsi.c
> index 35423ded03b..a6311b9a320 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -732,7 +732,7 @@ retry:
> goto out_unlock;
> }
>
> - *pnum = lbasd->num_blocks * iscsilun->block_size;
> + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
>
> if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
> lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
>
Queued, thanks.
Paolo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow
2018-05-10 13:28 ` Paolo Bonzini
@ 2018-06-28 18:58 ` Eric Blake
0 siblings, 0 replies; 4+ messages in thread
From: Eric Blake @ 2018-06-28 18:58 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel
Cc: qemu-stable, Ronnie Sahlberg, Peter Lieven, Kevin Wolf,
Max Reitz, open list:iSCSI
On 05/10/2018 08:28 AM, Paolo Bonzini wrote:
> On 08/05/2018 23:27, Eric Blake wrote:
>> Detected by Coverity: Multiplying two 32-bit int and assigning
>> the result to a 64-bit number is a risk of overflow. Prior to
>> the conversion to byte-based interfaces, the block layer took
>> care of ensuring that a status request never exceeded 2G in
>> the driver; but after that conversion, the block layer expects
>> drivers to deal with any size request (the driver can always
>> truncate the request size back down, as long as it makes
>> progress). So, in the off-chance that someone makes a large
>> request, we are at the mercy of whether iscsi_get_lba_status_task()
>> will cap things to at most INT_MAX / iscsilun->block_size when
>> it populates lbasd->num_blocks; since I could not easily audit
>> that, it's better to be safe than sorry by just forcing a 64-bit
>> multiply.
>>
>> Fixes: 92809c36
>> CC: qemu-stable@nongnu.org
>> Signed-off-by: Eric Blake <eblake@redhat.com>
>> ---
>
> Queued, thanks.
It's been more than a month since this was queued but it is still not on
mainline - did it get lost?
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-28 18:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-08 21:27 [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow Eric Blake
2018-05-10 1:44 ` Philippe Mathieu-Daudé
2018-05-10 13:28 ` Paolo Bonzini
2018-06-28 18:58 ` Eric Blake
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.