From: "Philippe Mathieu-Daudé" <f4bug@amsat.org>
To: Eric Blake <eblake@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
"open list:iSCSI" <qemu-block@nongnu.org>,
Peter Lieven <pl@kamp.de>,
qemu-stable@nongnu.org, Max Reitz <mreitz@redhat.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow
Date: Wed, 9 May 2018 22:44:05 -0300 [thread overview]
Message-ID: <dd2e5501-5829-4034-b91d-33c150e0ffc6@amsat.org> (raw)
In-Reply-To: <20180508212718.1482663-1-eblake@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]
On 05/08/2018 06:27 PM, Eric Blake wrote:
> Detected by Coverity: Multiplying two 32-bit int and assigning
> the result to a 64-bit number is a risk of overflow. Prior to
> the conversion to byte-based interfaces, the block layer took
> care of ensuring that a status request never exceeded 2G in
> the driver; but after that conversion, the block layer expects
> drivers to deal with any size request (the driver can always
> truncate the request size back down, as long as it makes
> progress). So, in the off-chance that someone makes a large
> request, we are at the mercy of whether iscsi_get_lba_status_task()
> will cap things to at most INT_MAX / iscsilun->block_size when
> it populates lbasd->num_blocks; since I could not easily audit
> that, it's better to be safe than sorry by just forcing a 64-bit
> multiply.
:)
>
> Fixes: 92809c36
> CC: qemu-stable@nongnu.org
> Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> block/iscsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/iscsi.c b/block/iscsi.c
> index 35423ded03b..a6311b9a320 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -732,7 +732,7 @@ retry:
> goto out_unlock;
> }
>
> - *pnum = lbasd->num_blocks * iscsilun->block_size;
> + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
>
> if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
> lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-05-10 1:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-08 21:27 [Qemu-devel] [PATCH] iscsi: Avoid potential for get_status overflow Eric Blake
2018-05-10 1:44 ` Philippe Mathieu-Daudé [this message]
2018-05-10 13:28 ` Paolo Bonzini
2018-06-28 18:58 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd2e5501-5829-4034-b91d-33c150e0ffc6@amsat.org \
--to=f4bug@amsat.org \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pl@kamp.de \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=ronniesahlberg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.