|
 |
d8ab4a |
From f8e55fd069eea72105e104534aa7560d8df03bf7 Mon Sep 17 00:00:00 2001
|
|
|
d8ab4a |
From: jmaloy <jmaloy@redhat.com>
|
|
|
d8ab4a |
Date: Wed, 29 Jan 2020 21:14:31 +0000
|
|
|
d8ab4a |
Subject: [PATCH 4/5] iscsi: Avoid potential for get_status overflow
|
|
|
d8ab4a |
MIME-Version: 1.0
|
|
|
d8ab4a |
Content-Type: text/plain; charset=UTF-8
|
|
|
d8ab4a |
Content-Transfer-Encoding: 8bit
|
|
|
d8ab4a |
|
|
|
d8ab4a |
RH-Author: jmaloy <jmaloy@redhat.com>
|
|
|
d8ab4a |
Message-id: <20200129211432.11592-2-jmaloy@redhat.com>
|
|
|
d8ab4a |
Patchwork-id: 93584
|
|
|
d8ab4a |
O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/2] iscsi: Avoid potential for get_status overflow
|
|
|
d8ab4a |
Bugzilla: 1794500
|
|
|
d8ab4a |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
d8ab4a |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
d8ab4a |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
d8ab4a |
|
|
|
d8ab4a |
From: Eric Blake <eblake@redhat.com>
|
|
|
d8ab4a |
|
|
|
d8ab4a |
Detected by Coverity: Multiplying two 32-bit int and assigning
|
|
|
d8ab4a |
the result to a 64-bit number is a risk of overflow. Prior to
|
|
|
d8ab4a |
the conversion to byte-based interfaces, the block layer took
|
|
|
d8ab4a |
care of ensuring that a status request never exceeded 2G in
|
|
|
d8ab4a |
the driver; but after that conversion, the block layer expects
|
|
|
d8ab4a |
drivers to deal with any size request (the driver can always
|
|
|
d8ab4a |
truncate the request size back down, as long as it makes
|
|
|
d8ab4a |
progress). So, in the off-chance that someone makes a large
|
|
|
d8ab4a |
request, we are at the mercy of whether iscsi_get_lba_status_task()
|
|
|
d8ab4a |
will cap things to at most INT_MAX / iscsilun->block_size when
|
|
|
d8ab4a |
it populates lbasd->num_blocks; since I could not easily audit
|
|
|
d8ab4a |
that, it's better to be safe than sorry by just forcing a 64-bit
|
|
|
d8ab4a |
multiply.
|
|
|
d8ab4a |
|
|
|
d8ab4a |
Fixes: 92809c36
|
|
|
d8ab4a |
CC: qemu-stable@nongnu.org
|
|
|
d8ab4a |
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
d8ab4a |
Message-Id: <20180508212718.1482663-1-eblake@redhat.com>
|
|
|
d8ab4a |
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
|
d8ab4a |
(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0)
|
|
|
d8ab4a |
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
|
d8ab4a |
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
|
d8ab4a |
---
|
|
|
d8ab4a |
block/iscsi.c | 2 +-
|
|
|
d8ab4a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
d8ab4a |
|
|
|
d8ab4a |
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
|
d8ab4a |
index c412b12..336ce49 100644
|
|
|
d8ab4a |
--- a/block/iscsi.c
|
|
|
d8ab4a |
+++ b/block/iscsi.c
|
|
|
d8ab4a |
@@ -734,7 +734,7 @@ retry:
|
|
|
d8ab4a |
goto out_unlock;
|
|
|
d8ab4a |
}
|
|
|
d8ab4a |
|
|
|
d8ab4a |
- *pnum = lbasd->num_blocks * iscsilun->block_size;
|
|
|
d8ab4a |
+ *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
|
|
|
d8ab4a |
|
|
|
d8ab4a |
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
|
|
|
d8ab4a |
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
|
|
|
d8ab4a |
--
|
|
|
d8ab4a |
1.8.3.1
|
|
|
d8ab4a |
|