From: Rik van Riel <riel@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH 1/3] fix signed/unsigned overflows in SCSI disk
Date: Wed, 28 Jan 2009 09:51:38 -0500 [thread overview]
Message-ID: <20090128145211.583289000@redhat.com> (raw)
In-Reply-To: 20090128145137.396187000@redhat.com
[-- Attachment #1: qemu-upstream.diff --]
[-- Type: text/plain, Size: 1784 bytes --]
Sector numbers can overflow on a virtual scsi disk of over 1TB
in size. Qemu's bdrv_read expects an int64_t, so fix the overflow
by going to that data type.
On large disks, we clip the capacity to 2TB instead of returning
"capacity modulo 2TB".
Turn sector_count into an unsigned to prevent a signed/unsigned
overflow with SCSI transfers larger than 2TB. We're unlikely to
ever hit this bug, but fixing it is just one line.
Signed-off-by: Rik van Riel <riel@redhat.com>
Index: qemu/trunk/hw/scsi-disk.c
===================================================================
--- qemu.orig/trunk/hw/scsi-disk.c
+++ qemu/trunk/hw/scsi-disk.c
@@ -47,11 +47,11 @@ do { fprintf(stderr, "scsi-disk: " fmt ,
typedef struct SCSIRequest {
SCSIDeviceState *dev;
uint32_t tag;
- /* ??? We should probably keep track of whether the data trasfer is
+ /* ??? We should probably keep track of whether the data transfer is
a read or a write. Currently we rely on the host getting it right. */
/* Both sector and sector_count are in terms of qemu 512 byte blocks. */
- int sector;
- int sector_count;
+ uint64_t sector;
+ uint32_t sector_count;
/* The amounnt of data in the buffer. */
int buf_len;
uint8_t *dma_buf;
@@ -731,6 +731,9 @@ static int32_t scsi_send_command(SCSIDev
/* Returned value is the address of the last sector. */
if (nb_sectors) {
nb_sectors--;
+ /* Clip to 2TB, instead of returning capacity modulo 2TB. */
+ if (nb_sectors > UINT32_MAX)
+ nb_sectors = UINT32_MAX;
outbuf[0] = (nb_sectors >> 24) & 0xff;
outbuf[1] = (nb_sectors >> 16) & 0xff;
outbuf[2] = (nb_sectors >> 8) & 0xff;
--
All rights reversed.
next prev parent reply other threads:[~2009-01-28 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-28 14:51 [Qemu-devel] [PATCH 0/3] fixes for the SCSI disk emulation Rik van Riel
2009-01-28 14:51 ` Rik van Riel [this message]
2009-01-28 14:51 ` [Qemu-devel] [PATCH 2/3] support >2TB SCSI disks Rik van Riel
2009-01-28 14:51 ` [Qemu-devel] [PATCH 3/3] SCSI divide capacity by s->cluster_size Rik van Riel
2009-01-28 16:49 ` Rene Rebe
2009-01-28 16:52 ` Rik van Riel
2009-01-28 21:42 ` Anthony Liguori
2009-01-28 21:59 ` [Qemu-devel] [PATCH 0/3] fixes for the SCSI disk emulation Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090128145211.583289000@redhat.com \
--to=riel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.