From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:45636) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1USuEx-0002lj-84 for qemu-devel@nongnu.org; Thu, 18 Apr 2013 15:11:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1USuEv-0000kZ-J4 for qemu-devel@nongnu.org; Thu, 18 Apr 2013 15:11:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:24671) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1USuEv-0000kP-8p for qemu-devel@nongnu.org; Thu, 18 Apr 2013 15:11:25 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r3IJBO59025559 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 18 Apr 2013 15:11:24 -0400 Message-ID: <5170455B.4050703@redhat.com> Date: Thu, 18 Apr 2013 13:11:23 -0600 From: Eric Blake MIME-Version: 1.0 References: <20130418130552.2d319e91@redhat.com> In-Reply-To: <20130418130552.2d319e91@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----enig2QIKATEQWADXEECJQQJUW" Subject: Re: [Qemu-devel] [PATCH] virtio-balloon: fix integer overflow in BALLOON_CHANGE QMP event List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Luiz Capitulino Cc: mkletzan@redhat.com, qemu-devel This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2QIKATEQWADXEECJQQJUW Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 04/18/2013 11:05 AM, Luiz Capitulino wrote: > Because dev->actual is uint32_t, the expression 'dev->actual << > VIRTIO_BALLOON_PFN_SHIFT' is truncated to 32 bits. This overflows when > dev->actual >=3D 1048576. >=20 > To reproduce: >=20 > 1. Start a VM with a QMP socket and 5G of RAM > 2. Connect to the QMP socket, negotiate capabilities and issue: >=20 > { "execute":"balloon", "arguments": { "value": 1073741824 } } >=20 > 3. What the BALLOON_CHANGE QMP event, the last one will incorretly be:= >=20 > { "timestamp": { "seconds": 1366228965, "microseconds": 245466 }, > "event": "BALLOON_CHANGE", "data": { "actual": 5368709120 } } >=20 > To fix it this commit casts it to ram_addr_t, which is ram_size's type.= >=20 > Signed-off-by: Luiz Capitulino > --- > hw/virtio/virtio-balloon.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Eric Blake --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org ------enig2QIKATEQWADXEECJQQJUW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRcEVbAAoJEKeha0olJ0Nqq9sH/1UPdF2UjwCgzFBHk2dwUtqm LeNP3iMRkM2NLIfDFtCsJR25wYA6GnpMOKv2eToERnr9FTOykcRTBPntxlN6/8vs 1p8xTavTNRRKDY4UMkCTiuEQYg+Cwvx5OGUSHtTnZMnQk4ZKxgbXatBzzwlYVlL0 MQZoYzojJyQn9vCc6GHecicU/KuBKwScnAJNCXB1eTLI5qwximJcLSXimGdmfge9 0LYsC1HQDrXmiSNAUhwEzmLpS9uI7XojdHw/GnRErKqmUJkfJU8q+b5PST79LVaj fmkWoWhHWblmdDog9U0jbXvKQPAJ+j63nro5yTSsu9HgsSffSdzMezIwn+qCIPI= =rpTW -----END PGP SIGNATURE----- ------enig2QIKATEQWADXEECJQQJUW--