migration/multifd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
---
migration/multifd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/migration/multifd.c b/migration/multifd.c
index 4374e14a96..498e71fd10 100644
--- a/migration/multifd.c
+++ b/migration/multifd.c
@@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
}
stat64_add(&mig_stats.multifd_bytes,
- p->next_packet_size + p->packet_len);
+ (uint64_t)p->next_packet_size + p->packet_len);
p->next_packet_size = 0;
multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);
--
2.43.0On Wed, Nov 13, 2024 at 05:05:01PM +0300, Dmitry Frolov wrote: > stat64_add() takes uint64_t as 2nd argument, but both > "p->next_packet_size" and "p->packet_len" are uint32_t. > Thus, theyr sum may overflow uint32_t. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru> > --- > migration/multifd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/migration/multifd.c b/migration/multifd.c > index 4374e14a96..498e71fd10 100644 > --- a/migration/multifd.c > +++ b/migration/multifd.c > @@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque) > } > > stat64_add(&mig_stats.multifd_bytes, > - p->next_packet_size + p->packet_len); > + (uint64_t)p->next_packet_size + p->packet_len); IIUC this will never overflow due to the hard limits on both variables.. but it turns out this is the only place anyway to have such concern, so no harm to have this if it helps quiesce some warnings indeed.. Queued, thanks. > > p->next_packet_size = 0; > multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE); > -- > 2.43.0 > > -- Peter Xu
© 2016 - 2024 Red Hat, Inc.