[SeaBIOS] [PATCH] virtio-blk: Fix integer overflow for large max IO sizes

Lukas Stockner via SeaBIOS posted 1 patch 1 year, 4 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/seabios tags/patchew/20230606132952.2820557-1-lstockner@genesiscloud.com
src/hw/virtio-blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[SeaBIOS] [PATCH] virtio-blk: Fix integer overflow for large max IO sizes
Posted by Lukas Stockner via SeaBIOS 1 year, 4 months ago
When the maximum IO size supported by the virtio-blk backend is large
enough (>= 32MiB for 512B sectors), the computed blk_num_max will
overflow. In particular, if it's a multiple of 32MiB, blk_num_max
will end up as zero, causing IO requests to fail.

This is triggered by e.g. the SPDK virtio-blk vhost-user backend.

To fix it, just limit blk_num_max to 65535 before converting to u16.

Signed-off-by: Lukas Stockner <lstockner@genesiscloud.com>
---
 src/hw/virtio-blk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hw/virtio-blk.c b/src/hw/virtio-blk.c
index e087fe4..137a2c3 100644
--- a/src/hw/virtio-blk.c
+++ b/src/hw/virtio-blk.c
@@ -92,7 +92,7 @@ virtio_blk_op(struct disk_op_s *op, int write)
     u16 blk_num_max;
 
     if (vdrive->drive.blksize != 0 && max_io_size != 0)
-        blk_num_max = (u16)(max_io_size / vdrive->drive.blksize);
+        blk_num_max = (u16) min(max_io_size / vdrive->drive.blksize, 0xffff);
     else
         /* default blk_num_max if hardware doesnot advise a proper value */
         blk_num_max = 64;
-- 
2.41.0

_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org
[SeaBIOS] Re: [PATCH] virtio-blk: Fix integer overflow for large max IO sizes
Posted by Kevin O'Connor 1 year, 3 months ago
On Tue, Jun 06, 2023 at 03:29:52PM +0200, Lukas Stockner via SeaBIOS wrote:
> When the maximum IO size supported by the virtio-blk backend is large
> enough (>= 32MiB for 512B sectors), the computed blk_num_max will
> overflow. In particular, if it's a multiple of 32MiB, blk_num_max
> will end up as zero, causing IO requests to fail.
> 
> This is triggered by e.g. the SPDK virtio-blk vhost-user backend.
> 
> To fix it, just limit blk_num_max to 65535 before converting to u16.

Thanks.  I committed this change.

-Kevin
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-leave@seabios.org