From: Kevin Wolf <kwolf@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-devel@nongnu.org, mreitz@redhat.com
Subject: Re: [Qemu-devel] [PATCH 1/2] qed: check for header size overflow
Date: Wed, 14 Jan 2015 15:00:16 +0100 [thread overview]
Message-ID: <20150114140016.GH5136@noname.redhat.com> (raw)
In-Reply-To: <1421065893-18875-2-git-send-email-stefanha@redhat.com>
Am 12.01.2015 um 13:31 hat Stefan Hajnoczi geschrieben:
> Header size is denoted in clusters. The maximum cluster size is 64 MB
> but there is no limit on header size. Check for uint32_t overflow in
> case the header size field has a whacky value.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> block/qed.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/block/qed.c b/block/qed.c
> index 80f18d8..d2c6045 100644
> --- a/block/qed.c
> +++ b/block/qed.c
> @@ -440,6 +440,12 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
> s->l2_mask = s->table_nelems - 1;
> s->l1_shift = s->l2_shift + ffs(s->table_nelems) - 1;
>
> + /* Header size calculation must not overflow uint32_t */
> + if ((uint64_t)s->header.cluster_size * s->header.header_size !=
> + s->header.cluster_size * s->header.header_size) {
Generally, I find checks that don't exercise the integer overflow easier
to read, i.e. in this case:
if (s->header.header_size > UINT32_MAX / s->header.cluster_size)
Or even just INT_MAX to be on the safe side. But I'll admit that it's a
matter of taste.
> + return -EINVAL;
> + }
> +
> if ((s->header.features & QED_F_BACKING_FILE)) {
> if ((uint64_t)s->header.backing_filename_offset +
> s->header.backing_filename_size >
Series: Reviewed-by: Kevin Wolf <kwolf@redhat.com>
next prev parent reply other threads:[~2015-01-14 14:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-12 12:31 [Qemu-devel] [PATCH 0/2] qed: additional input validation Stefan Hajnoczi
2015-01-12 12:31 ` [Qemu-devel] [PATCH 1/2] qed: check for header size overflow Stefan Hajnoczi
2015-01-14 14:00 ` Kevin Wolf [this message]
2015-01-12 12:31 ` [Qemu-devel] [PATCH 2/2] qemu-iotests: add 116 invalid QED input file tests Stefan Hajnoczi
2015-01-15 15:23 ` [Qemu-devel] [PATCH 0/2] qed: additional input validation Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150114140016.GH5136@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).