From nobody Sun May 5 23:03:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1490979984852459.27852247336386; Fri, 31 Mar 2017 10:06:24 -0700 (PDT) Received: from localhost ([::1]:42065 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cu00F-0003Pl-Iv for importer@patchew.org; Fri, 31 Mar 2017 13:06:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35365) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ctzzK-0002w4-Cg for qemu-devel@nongnu.org; Fri, 31 Mar 2017 13:05:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ctzzJ-00042F-7Q for qemu-devel@nongnu.org; Fri, 31 Mar 2017 13:05:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60242) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ctzzD-00040C-SZ; Fri, 31 Mar 2017 13:05:19 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D3D84C065119; Fri, 31 Mar 2017 17:05:18 +0000 (UTC) Received: from localhost (unknown [10.40.205.84]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1709B84947; Fri, 31 Mar 2017 17:05:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D3D84C065119 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=mreitz@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com D3D84C065119 From: Max Reitz To: qemu-block@nongnu.org Date: Fri, 31 Mar 2017 19:05:12 +0200 Message-Id: <20170331170512.10381-1-mreitz@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 31 Mar 2017 17:05:19 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH for-2.9] block/parallels: Avoid overflows X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Peter Maydell , qemu-devel@nongnu.org, Max Reitz , Stefan Hajnoczi , "Denis V . Lunev" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Change the types of variables in allocate_clusters() to int64_t so we do not have to worry about potential overflows. Add an assertion that our accesses to s->bat[] do not result in a buffer overflow and that the implicit conversion performed when invoking bat_entry_off() does not result in an integer overflow. Coverity-id: 1307776 Signed-off-by: Max Reitz Reviewed-by: Eric Blake Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- This supercedes Peter's patch "block/parallels.c: avoid integer overflow in allocate_clusters()". --- block/parallels.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/block/parallels.c b/block/parallels.c index 4173b3fb9d..90acf79687 100644 --- a/block/parallels.c +++ b/block/parallels.c @@ -192,8 +192,7 @@ static int64_t allocate_clusters(BlockDriverState *bs, = int64_t sector_num, int nb_sectors, int *pnum) { BDRVParallelsState *s =3D bs->opaque; - uint32_t idx, to_allocate, i; - int64_t pos, space; + int64_t pos, space, idx, to_allocate, i; =20 pos =3D block_status(s, sector_num, nb_sectors, pnum); if (pos > 0) { @@ -201,11 +200,19 @@ static int64_t allocate_clusters(BlockDriverState *bs= , int64_t sector_num, } =20 idx =3D sector_num / s->tracks; - if (idx >=3D s->bat_size) { - return -EINVAL; - } - to_allocate =3D DIV_ROUND_UP(sector_num + *pnum, s->tracks) - idx; + + /* This function is called only by parallels_co_writev(), which will n= ever + * pass a sector_num at or beyond the end of the image (because the bl= ock + * layer never passes such a sector_num to that function). Therefore, = idx + * is always below s->bat_size. + * block_status() will limit *pnum so that sector_num + *pnum will not + * exceed the image end. Therefore, idx + to_allocate cannot exceed + * s->bat_size. + * Note that s->bat_size is an unsigned int, therefore idx + to_alloca= te + * will always fit into a uint32_t. */ + assert(idx < s->bat_size && idx + to_allocate <=3D s->bat_size); + space =3D to_allocate * s->tracks; if (s->data_end + space > bdrv_getlength(bs->file->bs) >> BDRV_SECTOR_= BITS) { int ret; --=20 2.12.1