hw/block: fix uint32 overflow

[PATCH] hw/block: fix uint32 overflow

Dmitry Frolov posted 1 patch 1 year, 2 months ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20240917080356.270576-2-frolov@swemel.ru

Maintainers: Stefan Hajnoczi <stefanha@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>

hw/block/virtio-blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] hw/block: fix uint32 overflow

Posted by Dmitry Frolov 1 year, 2 months ago

The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
uint32.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
---
 hw/block/virtio-blk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 73bdfd6122..115795392c 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -700,7 +700,7 @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op)
     } else {
         if (bs->bl.zone_size > capacity - offset) {
             /* The zoned device allows the last smaller zone. */
-            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1);
+            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull);
         } else {
             len = bs->bl.zone_size;
         }
-- 
2.43.0

Re: [PATCH] hw/block: fix uint32 overflow

Posted by Stefan Hajnoczi 1 year, 2 months ago

On Tue, Sep 17, 2024 at 11:03:18AM +0300, Dmitry Frolov wrote:
> The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
> uint32.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> ---
>  hw/block/virtio-blk.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks, applied to my block tree:
https://gitlab.com/stefanha/qemu/commits/block

Stefan