From: Max Reitz <mreitz@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Coiby Xu <Coiby.Xu@gmail.com>,
qemu-block@nongnu.org
Subject: Re: [PATCH for-5.2] block/export/vhost-user-blk-server.c: Avoid potential integer overflow
Date: Mon, 9 Nov 2020 16:16:45 +0100 [thread overview]
Message-ID: <4c65f0d3-3769-b659-985f-f0cc5263a41e@redhat.com> (raw)
In-Reply-To: <20201109150522.10350-1-peter.maydell@linaro.org>
[Cc-ing Stefan]
On 09.11.20 16:05, Peter Maydell wrote:
> In vu_blk_discard_write_zeroes(), we read a 32-bit sector count from
> the descriptor and convert it to a 64-bit byte count. Coverity warns
> that the left shift is done with 32-bit arithmetic so it might
> overflow before the conversion to 64-bit happens. Add a cast to
> avoid this.
This will silence Coverity, but both functions to which range[1] is then
passed (blk_co_pdiscard() and blk_co_pwrite_zeroes()) only accept ints
there, so this would only move the overflow to the function call.
Shouldn’t we verify that the number of sectors is in range and return an
error if it isn’t? (The same probably goes for the starting sector,
then, too.)
Max
> Fixes: Coverity CID 1435956
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> Tested with 'make check' and 'make check-acceptance' only.
> ---
> block/export/vhost-user-blk-server.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c
> index 62672d1cb95..e5749451e65 100644
> --- a/block/export/vhost-user-blk-server.c
> +++ b/block/export/vhost-user-blk-server.c
> @@ -70,7 +70,7 @@ vu_blk_discard_write_zeroes(BlockBackend *blk, struct iovec *iov,
> }
>
> uint64_t range[2] = { le64_to_cpu(desc.sector) << 9,
> - le32_to_cpu(desc.num_sectors) << 9 };
> + (uint64_t)le32_to_cpu(desc.num_sectors) << 9 };
> if (type == VIRTIO_BLK_T_DISCARD) {
> if (blk_co_pdiscard(blk, range[0], range[1]) == 0) {
> return 0;
>
next prev parent reply other threads:[~2020-11-09 15:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 15:05 [PATCH for-5.2] block/export/vhost-user-blk-server.c: Avoid potential integer overflow Peter Maydell
2020-11-09 15:16 ` Max Reitz [this message]
2020-11-10 12:36 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4c65f0d3-3769-b659-985f-f0cc5263a41e@redhat.com \
--to=mreitz@redhat.com \
--cc=Coiby.Xu@gmail.com \
--cc=kwolf@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).