From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43550)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YtB5w-0000DH-3P
	for qemu-devel@nongnu.org; Fri, 15 May 2015 04:35:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1YtB5s-000188-42
	for qemu-devel@nongnu.org; Fri, 15 May 2015 04:35:48 -0400
Date: Fri, 15 May 2015 16:34:59 +0800
From: Fam Zheng <famz@redhat.com>
Message-ID: <20150515083459.GD13255@ad.nay.redhat.com>
References: <1431653951-28178-1-git-send-email-famz@redhat.com>
	<1431653951-28178-2-git-send-email-famz@redhat.com>
	<87twventvc.fsf@blackfin.pond.sub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87twventvc.fsf@blackfin.pond.sub.org>
Subject: Re: [Qemu-devel] [PATCH 1/2] block: Detect multiplication overflow
 in bdrv_getlength
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alberto Garcia <berto@igalia.com>, Markus Armbruster <armbru@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org

On Fri, 05/15 10:10, Markus Armbruster wrote:
> Fam Zheng <famz@redhat.com> writes:
> 
> > Bogus image may have a large total_sectors that will overflow the
> > multiplication. For cleanness, fix the return code so the error message
> > will be meaningful.
> >
> > Reported-by: Richard W.M. Jones <rjones@redhat.com>
> > Signed-off-by: Fam Zheng <famz@redhat.com>
> > ---
> >  block.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/block.c b/block.c
> > index 7904098..5ee3fdf 100644
> > --- a/block.c
> > +++ b/block.c
> > @@ -2330,6 +2330,7 @@ int64_t bdrv_getlength(BlockDriverState *bs)
> >  {
> >      int64_t ret = bdrv_nb_sectors(bs);
> >  
> > +    ret = (int64_t)(ret * BDRV_SECTOR_SIZE) < 0 ? -EFBIG : ret;
> >      return ret < 0 ? ret : ret * BDRV_SECTOR_SIZE;
> >  }
> 
> Signed integer overflow is undefined behavior.  Your code works just
> fine on any remotely sane machine, *except* when the optimizer decides
> to use its undefined behavior license to mess with you.
> 
> A more prudent way to test for overflow would be something like
> 
>     ret > INT64_MAX / BDRV_SECTOR_SIZE

Yes, this is better, will fix.

Thanks,
Fam