From nobody Wed Dec 17 21:50:19 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1486864515495471.57548968649246; Sat, 11 Feb 2017 17:55:15 -0800 (PST) Received: from localhost ([::1]:50313 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ccjNi-0005R5-8w for importer@patchew.org; Sat, 11 Feb 2017 20:55:14 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47504) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ccj8d-0007gh-Qa for qemu-devel@nongnu.org; Sat, 11 Feb 2017 20:39:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ccj8c-0007Uo-FC for qemu-devel@nongnu.org; Sat, 11 Feb 2017 20:39:39 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57042) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ccj8Z-0007U2-Aa; Sat, 11 Feb 2017 20:39:35 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6C3EF61B8C; Sun, 12 Feb 2017 01:39:35 +0000 (UTC) Received: from localhost (ovpn-204-18.brq.redhat.com [10.40.204.18]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1C1dX4t022973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 11 Feb 2017 20:39:34 -0500 From: Max Reitz To: qemu-block@nongnu.org Date: Sun, 12 Feb 2017 02:39:27 +0100 Message-Id: <20170212013929.6793-2-mreitz@redhat.com> In-Reply-To: <20170212013440.5919-1-mreitz@redhat.com> References: <20170212013440.5919-1-mreitz@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sun, 12 Feb 2017 01:39:35 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 19/21] qemu-io: don't allow I/O operations larger than BDRV_REQUEST_MAX_BYTES X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , qemu-devel@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Alberto Garcia Passing a request size larger than BDRV_REQUEST_MAX_BYTES to any of the I/O commands results in an error. While 'read' and 'write' handle the error correctly, 'aio_read' and 'aio_write' hit an assertion: blk_aio_read_entry: Assertion `rwco->qiov->size =3D=3D acb->bytes' failed. The reason is that the QEMU I/O code cannot handle request sizes larger than BDRV_REQUEST_MAX_BYTES, so this patch makes qemu-io check that all values are within range. Signed-off-by: Alberto Garcia Message-id: 79f66648c685929a144396bda24d13a207131dcf.1485878688.git.berto@i= galia.com [mreitz: Use BDRV_REQUEST_MAX_BYTES instead of INT_MAX] Signed-off-by: Max Reitz --- qemu-io-cmds.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c index 95bcde1d88..e415b03cd0 100644 --- a/qemu-io-cmds.c +++ b/qemu-io-cmds.c @@ -388,9 +388,15 @@ create_iovec(BlockBackend *blk, QEMUIOVector *qiov, ch= ar **argv, int nr_iov, goto fail; } =20 - if (len > SIZE_MAX) { - printf("Argument '%s' exceeds maximum size %llu\n", arg, - (unsigned long long)SIZE_MAX); + if (len > BDRV_REQUEST_MAX_BYTES) { + printf("Argument '%s' exceeds maximum size %" PRIu64 "\n", arg, + (uint64_t)BDRV_REQUEST_MAX_BYTES); + goto fail; + } + + if (count > BDRV_REQUEST_MAX_BYTES - len) { + printf("The total number of bytes exceed the maximum size %" P= RIu64 + "\n", (uint64_t)BDRV_REQUEST_MAX_BYTES); goto fail; } =20 @@ -682,9 +688,9 @@ static int read_f(BlockBackend *blk, int argc, char **a= rgv) if (count < 0) { print_cvtnum_err(count, argv[optind]); return 0; - } else if (count > SIZE_MAX) { + } else if (count > BDRV_REQUEST_MAX_BYTES) { printf("length cannot exceed %" PRIu64 ", given %s\n", - (uint64_t) SIZE_MAX, argv[optind]); + (uint64_t)BDRV_REQUEST_MAX_BYTES, argv[optind]); return 0; } =20 @@ -1004,9 +1010,9 @@ static int write_f(BlockBackend *blk, int argc, char = **argv) if (count < 0) { print_cvtnum_err(count, argv[optind]); return 0; - } else if (count > SIZE_MAX) { + } else if (count > BDRV_REQUEST_MAX_BYTES) { printf("length cannot exceed %" PRIu64 ", given %s\n", - (uint64_t) SIZE_MAX, argv[optind]); + (uint64_t)BDRV_REQUEST_MAX_BYTES, argv[optind]); return 0; } =20 --=20 2.11.0