qemu-stable
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-stable] [PATCH] iscsi: Avoid potential for get_status overflow


From: Paolo Bonzini
Subject: Re: [Qemu-stable] [PATCH] iscsi: Avoid potential for get_status overflow
Date: Thu, 10 May 2018 15:28:58 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 08/05/2018 23:27, Eric Blake wrote:
> Detected by Coverity: Multiplying two 32-bit int and assigning
> the result to a 64-bit number is a risk of overflow.  Prior to
> the conversion to byte-based interfaces, the block layer took
> care of ensuring that a status request never exceeded 2G in
> the driver; but after that conversion, the block layer expects
> drivers to deal with any size request (the driver can always
> truncate the request size back down, as long as it makes
> progress).  So, in the off-chance that someone makes a large
> request, we are at the mercy of whether iscsi_get_lba_status_task()
> will cap things to at most INT_MAX / iscsilun->block_size when
> it populates lbasd->num_blocks; since I could not easily audit
> that, it's better to be safe than sorry by just forcing a 64-bit
> multiply.
> 
> Fixes: 92809c36
> CC: address@hidden
> Signed-off-by: Eric Blake <address@hidden>
> ---
>  block/iscsi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/iscsi.c b/block/iscsi.c
> index 35423ded03b..a6311b9a320 100644
> --- a/block/iscsi.c
> +++ b/block/iscsi.c
> @@ -732,7 +732,7 @@ retry:
>          goto out_unlock;
>      }
> 
> -    *pnum = lbasd->num_blocks * iscsilun->block_size;
> +    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
> 
>      if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
>          lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
> 

Queued, thanks.

Paolo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]