[PATCH] migration: fix-possible-int-overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] migration: fix-possible-int-overflow
@ 2024-11-13 14:05 Dmitry Frolov
  2024-11-13 18:01 ` Peter Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Frolov @ 2024-11-13 14:05 UTC (permalink / raw)
  To: peterx, farosas; +Cc: sdl.qemu, qemu-devel, Dmitry Frolov

stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
---
 migration/multifd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/migration/multifd.c b/migration/multifd.c
index 4374e14a96..498e71fd10 100644
--- a/migration/multifd.c
+++ b/migration/multifd.c
@@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
             }
 
             stat64_add(&mig_stats.multifd_bytes,
-                       p->next_packet_size + p->packet_len);
+                       (uint64_t)p->next_packet_size + p->packet_len);
 
             p->next_packet_size = 0;
             multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] migration: fix-possible-int-overflow
  2024-11-13 14:05 [PATCH] migration: fix-possible-int-overflow Dmitry Frolov
@ 2024-11-13 18:01 ` Peter Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Xu @ 2024-11-13 18:01 UTC (permalink / raw)
  To: Dmitry Frolov; +Cc: farosas, sdl.qemu, qemu-devel

On Wed, Nov 13, 2024 at 05:05:01PM +0300, Dmitry Frolov wrote:
> stat64_add() takes uint64_t as 2nd argument, but both
> "p->next_packet_size" and "p->packet_len" are uint32_t.
> Thus, theyr sum may overflow uint32_t.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> ---
>  migration/multifd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/migration/multifd.c b/migration/multifd.c
> index 4374e14a96..498e71fd10 100644
> --- a/migration/multifd.c
> +++ b/migration/multifd.c
> @@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
>              }
>  
>              stat64_add(&mig_stats.multifd_bytes,
> -                       p->next_packet_size + p->packet_len);
> +                       (uint64_t)p->next_packet_size + p->packet_len);

IIUC this will never overflow due to the hard limits on both
variables.. but it turns out this is the only place anyway to have such
concern, so no harm to have this if it helps quiesce some warnings indeed..

Queued, thanks.

>  
>              p->next_packet_size = 0;
>              multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);
> -- 
> 2.43.0
> 
> 

-- 
Peter Xu



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-11-13 18:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-13 14:05 [PATCH] migration: fix-possible-int-overflow Dmitry Frolov
2024-11-13 18:01 ` Peter Xu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.