From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56441) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XTbl8-0006fW-3V for qemu-devel@nongnu.org; Mon, 15 Sep 2014 15:16:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XTbl3-0004w9-26 for qemu-devel@nongnu.org; Mon, 15 Sep 2014 15:16:21 -0400 Message-ID: <54173AF1.7010301@redhat.com> Date: Mon, 15 Sep 2014 13:16:01 -0600 From: Eric Blake MIME-Version: 1.0 References: <20140915140934.17c1bfea@redhat.com> In-Reply-To: <20140915140934.17c1bfea@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RWT8o29NKWdP1369h25Ir5sxkeUJumLKO" Subject: Re: [Qemu-devel] [PATCH] virtio-balloon: fix buffer overflow in memory stats feature List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Luiz Capitulino , qemu-devel Cc: qemu-stable@nongnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RWT8o29NKWdP1369h25Ir5sxkeUJumLKO Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/15/2014 12:09 PM, Luiz Capitulino wrote: > When a QMP client changes the polling interval time by setting > the guest-stats-polling-interval property, the interval value > is stored and manipuled as an int64_t variable. >=20 s/manipuled/manipulated/ > However, the balloon_stats_change_timer() function, which is > used to set the actual timer with the interval value, takes > an int instead, causing an overflow for big interval values. >=20 > Fix it. >=20 > Signed-off-by: Luiz Capitulino > --- > hw/virtio/virtio-balloon.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c > index 2c30b3d..9629264 100644 > --- a/hw/virtio/virtio-balloon.c > +++ b/hw/virtio/virtio-balloon.c > @@ -87,7 +87,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon= *s) > } > } > =20 > -static void balloon_stats_change_timer(VirtIOBalloon *s, int secs) > +static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)= > { > timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + = secs * 1000); secs * 1000 can still overflow for (really large) values, do we care about that? --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --RWT8o29NKWdP1369h25Ir5sxkeUJumLKO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUFzrxAAoJEKeha0olJ0NqfBIH/02OqgisPmiIDr4+xp+9Zqrk GDrPjHNdeDIM6iX2bdWkfxb6GmGuMtWrQ/Vt392vLhU8LLWo6qQLQc+J//uFhdK5 TyPabTE6LdHfYVRXcKbHtfAz/M8QVpMwiKNjyGdXxC4/2SNY0UO9EwwJbwjygv2W hBVN1KO8H6DRNYqScRve1XLzEw/KXwHInwfVgBEz7bwC/bzXhoL7AyOLep7CHjgR EnyHiHA0JYwhBKEq4M98/wMAwuJK8oMJq/csP6xAcD0fRvyxN4pUPUOThiNkMz2r pm6RUtQN7eVfEny4eXHpvqF0WlXbIUdkjrdW5xcQq11zfQHgsMCGGkI1Do2eaAw= =qHBc -----END PGP SIGNATURE----- --RWT8o29NKWdP1369h25Ir5sxkeUJumLKO--