From nobody Tue Feb 10 04:16:35 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1659963534; cv=none; d=zohomail.com; s=zohoarc; b=HicwJ23Xm0S5Oi8PPjoPinEMHfmtuCYGe8ZAsYCPTCGBfio1FODz3g73wErgV+6D3Jcu16fX8A7TqYraBIrPjcjrSsFWnEMaC/r7YQHUsbXXXEDRyL1c6sno/07vgeKARF635GiVBtCSD0yONbu1bpXwou9YgX2K725HfhEEhrU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1659963534; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=zjIkCOrgZJsNDwC0p4zt66uvkq6oMqFfMYuPDOdWkN8=; b=PBBUCqqpOnkUdWK6oYXYDX/0UPvrtfvUsd9Algxc/QsB5DJoiXcBaJcCNEwD7nEuE8XxOOiQqSq7Ns9fLsOwsJWaqfb4pMOxMzjFYgSEcVXATHYpFIsOSLrO5WxOd/uCx1BjHriM43pP9eSfDoJH1ynzRXNfnwg4hPowYOEqsB0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1659963534146604.0943940187125; Mon, 8 Aug 2022 05:58:54 -0700 (PDT) Received: from localhost ([::1]:59112 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oL2LN-0002EN-2K for importer@patchew.org; Mon, 08 Aug 2022 08:58:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52480) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oL2Jo-0007kK-H8 for qemu-devel@nongnu.org; Mon, 08 Aug 2022 08:57:16 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:41736) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oL2Jl-0001fB-Hm for qemu-devel@nongnu.org; Mon, 08 Aug 2022 08:57:15 -0400 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-571-mTA3HluPOsuKDCRSpYgHXg-1; Mon, 08 Aug 2022 08:57:11 -0400 Received: by mail-ed1-f71.google.com with SMTP id l19-20020a056402255300b0043df64f9a0fso5629503edb.16 for ; Mon, 08 Aug 2022 05:57:11 -0700 (PDT) Received: from goa-sendmail ([2001:b07:6468:f312:5e2c:eb9a:a8b6:fd3e]) by smtp.gmail.com with ESMTPSA id iy20-20020a170907819400b00730cc173c6asm4924378ejc.43.2022.08.08.05.57.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Aug 2022 05:57:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659963432; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zjIkCOrgZJsNDwC0p4zt66uvkq6oMqFfMYuPDOdWkN8=; b=TTce/J3+aSz3orY6rWWA8BaDce752jFqRqsetWgaxaJPYDk+rXEPzBXUOtCwF6s2TqZFHj SYPL7BIKTe/x48X1cZqHF9ckxJ0IfItkI6/UvNg+e+QiCy+mNMEVK/+jATlBFy6bz/iisg BdeC6mpeV70XISiWVeJD/1UP9hjT7xM= X-MC-Unique: mTA3HluPOsuKDCRSpYgHXg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=zjIkCOrgZJsNDwC0p4zt66uvkq6oMqFfMYuPDOdWkN8=; b=wJ0hw64B70A7vsHd9DXPoQ45sOhh0WVuUyUJQBdlG2Pd8Ut49sLSFZXNxRyg4hXlcB WbpXIkgag/4pe65g90+GQi4Ldx5Yzi3uSA2UrgbyvxWkcqDK0BozVfWTp7lEVmgIWlBz udURmyCI5Z7r0rIrAaeWDAismzASXxLXrS1Fl4zrwVVHEi4jTyFv4NjHB8b7Y4xy9nNF wzRbakeWbIP2k+UDsOwj8D0EzPwEgSLxhWa6cfaQ6xSxM4pJIqUkJXkJ1CDKXxQxmO1L uucp/WHHkbps16PDArTiPrsk29ABth3R+lDqrsyzTO870A2Kq76czcukR3IDSEb4IULp s13Q== X-Gm-Message-State: ACgBeo10IVK2NmluDCUF8Nsz9IOs6LHlg8W0eXbxHZMjkatLpUPdIF3b zXcrnBuo5QkLvn9D8ws0A384jnQ88XjBPoCpDx7fjqYp0ygLqixgJJ5NnH6t6tjdJpaJ4hLsyhp GYjoSpdeqlE9TI4uQkwlJt9flF2juIJSijqtFmDRwQK9va9BWcIRhXXadY4zq3G8ia1E= X-Received: by 2002:a05:6402:241e:b0:440:2c03:cdc8 with SMTP id t30-20020a056402241e00b004402c03cdc8mr12858379eda.237.1659963430128; Mon, 08 Aug 2022 05:57:10 -0700 (PDT) X-Google-Smtp-Source: AA6agR4B5xYqF+41di3pxL99/8vW53gx6GaXfhxURrKcXs7rqNO3EXNTr9qWtzQn4qsMxkeyWRmEDg== X-Received: by 2002:a05:6402:241e:b0:440:2c03:cdc8 with SMTP id t30-20020a056402241e00b004402c03cdc8mr12858360eda.237.1659963429757; Mon, 08 Aug 2022 05:57:09 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Cc: Mark Cave-Ayland Subject: [PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE Date: Mon, 8 Aug 2022 14:57:02 +0200 Message-Id: <20220808125706.60511-2-pbonzini@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220808125706.60511-1-pbonzini@redhat.com> References: <20220808125706.60511-1-pbonzini@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=pbonzini@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1659963535857100001 Content-Type: text/plain; charset="utf-8" From: Mark Cave-Ayland In scsi_disk_emulate_write_same() the number of host sectors to transfer is calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to copy data in block size chunks to the iov buffer. Since the loop copying the data to the iov buffer uses a fixed increment of s->qdev.blocksize then using a block size that isn't a multiple of BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calcula= tion such that the iov buffer copy overflows the space allocated. Update the iov buffer copy for() loop so that it will use the smallest of e= ither the current block size or the remaining transfer count to prevent the overf= low. Signed-off-by: Mark Cave-Ayland Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini --- hw/scsi/scsi-disk.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index f5cdb9ad4b..3027ac3b1e 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -1849,7 +1849,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq = *r, uint8_t *inbuf) uint32_t nb_sectors =3D scsi_data_cdb_xfer(r->req.cmd.buf); WriteSameCBData *data; uint8_t *buf; - int i; + int i, l; =20 /* Fail if PBDATA=3D1 or LBDATA=3D1 or ANCHOR=3D1. */ if (nb_sectors =3D=3D 0 || (req->cmd.buf[1] & 0x16)) { @@ -1891,8 +1891,9 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq = *r, uint8_t *inbuf) data->iov.iov_len); qemu_iovec_init_external(&data->qiov, &data->iov, 1); =20 - for (i =3D 0; i < data->iov.iov_len; i +=3D s->qdev.blocksize) { - memcpy(&buf[i], inbuf, s->qdev.blocksize); + for (i =3D 0; i < data->iov.iov_len; i +=3D l) { + l =3D MIN(s->qdev.blocksize, data->iov.iov_len - i); + memcpy(&buf[i], inbuf, l); } =20 scsi_req_ref(&r->req); --=20 2.37.1