| From f8e55fd069eea72105e104534aa7560d8df03bf7 Mon Sep 17 00:00:00 2001 |
| From: jmaloy <jmaloy@redhat.com> |
| Date: Wed, 29 Jan 2020 21:14:31 +0000 |
| Subject: [PATCH 4/5] iscsi: Avoid potential for get_status overflow |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| RH-Author: jmaloy <jmaloy@redhat.com> |
| Message-id: <20200129211432.11592-2-jmaloy@redhat.com> |
| Patchwork-id: 93584 |
| O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/2] iscsi: Avoid potential for get_status overflow |
| Bugzilla: 1794500 |
| RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com> |
| RH-Acked-by: Kevin Wolf <kwolf@redhat.com> |
| RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com> |
| |
| From: Eric Blake <eblake@redhat.com> |
| |
| Detected by Coverity: Multiplying two 32-bit int and assigning |
| the result to a 64-bit number is a risk of overflow. Prior to |
| the conversion to byte-based interfaces, the block layer took |
| care of ensuring that a status request never exceeded 2G in |
| the driver; but after that conversion, the block layer expects |
| drivers to deal with any size request (the driver can always |
| truncate the request size back down, as long as it makes |
| progress). So, in the off-chance that someone makes a large |
| request, we are at the mercy of whether iscsi_get_lba_status_task() |
| will cap things to at most INT_MAX / iscsilun->block_size when |
| it populates lbasd->num_blocks; since I could not easily audit |
| that, it's better to be safe than sorry by just forcing a 64-bit |
| multiply. |
| |
| Fixes: 92809c36 |
| CC: qemu-stable@nongnu.org |
| Signed-off-by: Eric Blake <eblake@redhat.com> |
| Message-Id: <20180508212718.1482663-1-eblake@redhat.com> |
| Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> |
| (cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0) |
| Signed-off-by: Jon Maloy <jmaloy@redhat.com> |
| Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com> |
| |
| block/iscsi.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/block/iscsi.c b/block/iscsi.c |
| index c412b12..336ce49 100644 |
| |
| |
| @@ -734,7 +734,7 @@ retry: |
| goto out_unlock; |
| } |
| |
| - *pnum = lbasd->num_blocks * iscsilun->block_size; |
| + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; |
| |
| if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || |
| lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { |
| -- |
| 1.8.3.1 |
| |