From: Max Reitz <mreitz@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>, qemu-devel@nongnu.org
Cc: patches@linaro.org, Stefan Hajnoczi <stefanha@redhat.com>,
"Denis V. Lunev" <den@openvz.org>, Kevin Wolf <kwolf@redhat.com>,
qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] block/parallels.c: avoid integer overflow in allocate_clusters()
Date: Fri, 31 Mar 2017 15:47:39 +0200 [thread overview]
Message-ID: <9e359c38-a2aa-64e8-6c7c-0b793d2f2bb4@redhat.com> (raw)
In-Reply-To: <1490965980-513-1-git-send-email-peter.maydell@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 1947 bytes --]
On 31.03.2017 15:13, Peter Maydell wrote:
> Coverity (CID 1307776) points out that in the multiply:
> space = to_allocate * s->tracks;
> we are trying to calculate a 64 bit result but the types
> of to_allocate and s->tracks mean that we actually calculate
> a 32 bit result. Add an explicit cast to force a 64 bit
> multiply.
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> NB: compile-and-make-check tested only...
> ---
> block/parallels.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/block/parallels.c b/block/parallels.c
> index 4173b3f..3886c30 100644
> --- a/block/parallels.c
> +++ b/block/parallels.c
> @@ -206,7 +206,7 @@ static int64_t allocate_clusters(BlockDriverState *bs, int64_t sector_num,
> }
>
> to_allocate = DIV_ROUND_UP(sector_num + *pnum, s->tracks) - idx;
> - space = to_allocate * s->tracks;
> + space = (int64_t)to_allocate * s->tracks;
> if (s->data_end + space > bdrv_getlength(bs->file->bs) >> BDRV_SECTOR_BITS) {
> int ret;
> space += s->prealloc_size;
I think the division is technically fine because to_allocate will
roughly be *pnum / s->tracks (and since *pnum is an int, the
multiplication cannot overflow).
However, it's still good to fix this, but I would do it differently:
Make idx, to_allocate, and i all uint64_t or int64_t instead of
uint32_t. This would also prevent accidental overflow when storing the
result of the division in:
idx = sector_num / s->tracks;
if (idx >= s->bat_size) {
[...]
The much greater problem to me appears to be that we don't check that
idx + to_allocate <= s->bat_size. I'm not sure whether there can be a
buffer overflow in the for loop below, but I'm not sure I really want to
know either... I think the block_status() call limits *pnum so that
there will not be an overflow, but then we should at least assert this.
Max
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 512 bytes --]
next prev parent reply other threads:[~2017-03-31 13:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 13:13 [Qemu-devel] [PATCH] block/parallels.c: avoid integer overflow in allocate_clusters() Peter Maydell
2017-03-31 13:27 ` Philippe Mathieu-Daudé
2017-03-31 13:28 ` Peter Maydell
2017-03-31 13:40 ` Eduardo Habkost
2017-03-31 16:18 ` Stefan Hajnoczi
2017-03-31 17:10 ` Eduardo Habkost
2017-03-31 13:47 ` Max Reitz [this message]
2017-03-31 14:54 ` Denis V. Lunev
2017-03-31 14:56 ` Max Reitz
2017-03-31 15:00 ` Denis V. Lunev
2017-03-31 16:20 ` Stefan Hajnoczi
2017-03-31 16:41 ` Max Reitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e359c38-a2aa-64e8-6c7c-0b793d2f2bb4@redhat.com \
--to=mreitz@redhat.com \
--cc=den@openvz.org \
--cc=kwolf@redhat.com \
--cc=patches@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).