Re: [Qemu-devel] [PATCH] Fix subtle integer overflow bug in memory API

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Avi Kivity <avi@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: agraf@suse.de, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Fix subtle integer overflow bug in memory API
Date: Wed, 14 Sep 2011 11:23:25 +0300	[thread overview]
Message-ID: <4E70647D.10408@redhat.com> (raw)
In-Reply-To: <1315983769-8287-1-git-send-email-david@gibson.dropbear.id.au>

On 09/14/2011 10:02 AM, David Gibson wrote:
> It is quite common to have a MemoryRegion with size of INT64_MAX.
> When processing alias regions in render_memory_region() it's quite
> easy to find a case where it will construct a temporary AddrRange with
> a non-zero start, and size still of INT64_MAX.  When means attempting
> to compute the end of such a range as start + size will result in
> signed integer overflow.
>
> This integer overflow means that addrrange_intersects() can
> incorrectly report regions as not intersecting when they do.  For
> example consider the case of address ranges {0x10000000000,
> 0x7fffffffffffffff} and {0x10010000000, 0x10000000} where the second
> is in fact included completely in the first.

Good catch, thanks for digging this out.

> This patch rearranges addrrange_intersects() to avoid the integer
> overflow, correcting this behaviour.

I expect that the bad behaviour can still be triggered, for example by 
pointing aliases towards the end of very large regions.  Not that I 
expect this to occur in practice.

I think we should move towards using __int128 internally.  Is there any 
relevant host which does not support __int128?

Meanwhile, applied to memory/core, and will request a pull shortly.

-- 
error compiling committee.c: too many arguments to function

next prev parent reply	other threads:[~2011-09-14  8:23 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-14  7:02 [Qemu-devel] [PATCH] Fix subtle integer overflow bug in memory API David Gibson
2011-09-14  8:23 ` Avi Kivity [this message]
2011-09-14  8:38   ` Avi Kivity
2011-09-15  2:34   ` David Gibson
2011-09-15  2:58     ` David Gibson
2011-09-15  7:28       ` Avi Kivity
2011-09-16  3:16         ` David Gibson
2011-09-15  7:38     ` Paolo Bonzini
2011-09-15  7:43       ` Avi Kivity

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E70647D.10408@redhat.com \
    --to=avi@redhat.com \
    --cc=agraf@suse.de \
    --cc=david@gibson.dropbear.id.au \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.