From: Paolo Bonzini <pbonzini@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>,
BALATON Zoltan <balaton@eik.bme.hu>
Cc: qemu-devel@nongnu.org, qemu-ppc@nongnu.org, rjones@redhat.com,
mst@redhat.com
Subject: Re: [Qemu-devel] [Qemu-ppc] [PATCH v2 2/2] i6300esb: Fix signed integer overflow
Date: Tue, 24 Mar 2015 08:48:37 +0100 [thread overview]
Message-ID: <551116D5.8070006@redhat.com> (raw)
In-Reply-To: <20150324002217.GU25043@voom.fritz.box>
On 24/03/2015 01:22, David Gibson wrote:
> On Mon, Mar 23, 2015 at 10:54:39AM +0100, BALATON Zoltan wrote:
>> On Mon, 23 Mar 2015, David Gibson wrote:
>>> If the guest programs a sufficiently large timeout value an
>>> integer overflow can occur in i6300esb_restart_timer(). e.g.
>>> if the maximum possible timer preload value of 0xfffff is
>>> programmed then we end up with the calculation:
>>>
>>> timeout = get_ticks_per_sec() * (0xfffff << 15) / 33000000;
>>>
>>> get_ticks_per_sec() returns 1000000000 (10^9) giving:
>>>
>>> 10^9 * (0xfffff * 2^15) == 0x1dcd632329b000000 (65 bits)
>>>
>>> Obviously the division by 33MHz brings it back under 64-bits,
>>> but the overflow has already occurred.
>>>
>>> Since signed integer overflow has undefined behaviour in C, in
>>> theory this could be arbitrarily bad. In practice, the
>>> overflowed value wraps around to something negative, causing
>>> the watchdog to immediately expire, killing the guest, which is
>>> still fairly bad.
>>>
>>> The bug can be triggered by running a Linux guest, loading the
>>> i6300esb driver with parameter "heartbeat=2046" and opening
>>> /dev/watchdog. The watchdog will trigger as soon as the device
>>> is opened.
>>>
>>> This patch corrects the problem by using muldiv64(), which
>>> effectively allows a 128-bit intermediate value between the
>>> multiplication and division.
>>>
>>> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> ---
>>> hw/watchdog/wdt_i6300esb.c | 10 ++++++++-- 1 file changed, 8
>>> insertions(+), 2 deletions(-)
>>>
>>> diff --git a/hw/watchdog/wdt_i6300esb.c
>>> b/hw/watchdog/wdt_i6300esb.c index e694fa9..c7316f5 100644 ---
>>> a/hw/watchdog/wdt_i6300esb.c +++ b/hw/watchdog/wdt_i6300esb.c
>>> @@ -125,8 +125,14 @@ static void
>>> i6300esb_restart_timer(I6300State *d, int stage) else timeout
>>> <<= 5;
>>>
>>> - /* Get the timeout in units of ticks_per_sec. */ -
>>> timeout = get_ticks_per_sec() * timeout / 33000000; + /* Get
>>> the timeout in units of ticks_per_sec. + * + *
>>> ticks_per_sec is typically 10^9 == 0x3B9ACA00 (30 bits), with +
>>> * 20 bits of user supplied preload, and 15 bits of scale, the +
>>> * multiply here can exceed 64-bits, before we divide by 33MHz,
>>> so + * we use a 128-bit temporary + */
>>
>> Is the comment still correct saying "we use a 128-bit temporary"
>> when the code does not do that explicitely any more?
>
> Bother. I fixed the commit message, but not this comment. It's
> still kind of correct, in that muldiv64 does effectively have a
> 128-bit temporary internally.
Yes, that's how I interpreted it. Though strictly speaking it's
96-bit. I'll change it to "higher-precision intermediate value".
Paolo
next prev parent reply other threads:[~2015-03-24 7:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-23 1:51 [Qemu-devel] [PATCH v2 0/2] Fix bugs in i6300esb watchdog timer David Gibson
2015-03-23 1:51 ` [Qemu-devel] [PATCH v2 1/2] i6300esb: Correct endiannness David Gibson
2015-03-23 9:01 ` Richard W.M. Jones
2015-03-23 1:51 ` [Qemu-devel] [PATCH v2 2/2] i6300esb: Fix signed integer overflow David Gibson
2015-03-23 9:00 ` Richard W.M. Jones
2015-03-23 9:54 ` [Qemu-devel] [Qemu-ppc] " BALATON Zoltan
2015-03-24 0:22 ` David Gibson
2015-03-24 7:48 ` Paolo Bonzini [this message]
2015-03-23 8:12 ` [Qemu-devel] [PATCH v2 0/2] Fix bugs in i6300esb watchdog timer Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=551116D5.8070006@redhat.com \
--to=pbonzini@redhat.com \
--cc=balaton@eik.bme.hu \
--cc=david@gibson.dropbear.id.au \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).