|
 |
8b1478 |
From 5d61b8b267cb1d529681fd88a4538c8eee408812 Mon Sep 17 00:00:00 2001
|
|
|
8b1478 |
From: jmaloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Date: Wed, 29 Jan 2020 18:47:14 +0100
|
|
|
8b1478 |
Subject: [PATCH 1/2] iscsi: Avoid potential for get_status overflow
|
|
|
8b1478 |
MIME-Version: 1.0
|
|
|
8b1478 |
Content-Type: text/plain; charset=UTF-8
|
|
|
8b1478 |
Content-Transfer-Encoding: 8bit
|
|
|
8b1478 |
|
|
|
8b1478 |
RH-Author: jmaloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Message-id: <20200129184715.18876-2-jmaloy@redhat.com>
|
|
|
8b1478 |
Patchwork-id: 93577
|
|
|
8b1478 |
O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/2] iscsi: Avoid potential for get_status overflow
|
|
|
8b1478 |
Bugzilla: 1794499 1794505
|
|
|
8b1478 |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
8b1478 |
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
8b1478 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
8b1478 |
|
|
|
8b1478 |
From: Eric Blake <eblake@redhat.com>
|
|
|
8b1478 |
|
|
|
8b1478 |
Detected by Coverity: Multiplying two 32-bit int and assigning
|
|
|
8b1478 |
the result to a 64-bit number is a risk of overflow. Prior to
|
|
|
8b1478 |
the conversion to byte-based interfaces, the block layer took
|
|
|
8b1478 |
care of ensuring that a status request never exceeded 2G in
|
|
|
8b1478 |
the driver; but after that conversion, the block layer expects
|
|
|
8b1478 |
drivers to deal with any size request (the driver can always
|
|
|
8b1478 |
truncate the request size back down, as long as it makes
|
|
|
8b1478 |
progress). So, in the off-chance that someone makes a large
|
|
|
8b1478 |
request, we are at the mercy of whether iscsi_get_lba_status_task()
|
|
|
8b1478 |
will cap things to at most INT_MAX / iscsilun->block_size when
|
|
|
8b1478 |
it populates lbasd->num_blocks; since I could not easily audit
|
|
|
8b1478 |
that, it's better to be safe than sorry by just forcing a 64-bit
|
|
|
8b1478 |
multiply.
|
|
|
8b1478 |
|
|
|
8b1478 |
Fixes: 92809c36
|
|
|
8b1478 |
CC: qemu-stable@nongnu.org
|
|
|
8b1478 |
Signed-off-by: Eric Blake <eblake@redhat.com>
|
|
|
8b1478 |
Message-Id: <20180508212718.1482663-1-eblake@redhat.com>
|
|
|
8b1478 |
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
|
|
8b1478 |
(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0)
|
|
|
8b1478 |
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
8b1478 |
---
|
|
|
8b1478 |
block/iscsi.c | 2 +-
|
|
|
8b1478 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
8b1478 |
|
|
|
8b1478 |
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
|
8b1478 |
index c412b12..336ce49 100644
|
|
|
8b1478 |
--- a/block/iscsi.c
|
|
|
8b1478 |
+++ b/block/iscsi.c
|
|
|
8b1478 |
@@ -734,7 +734,7 @@ retry:
|
|
|
8b1478 |
goto out_unlock;
|
|
|
8b1478 |
}
|
|
|
8b1478 |
|
|
|
8b1478 |
- *pnum = lbasd->num_blocks * iscsilun->block_size;
|
|
|
8b1478 |
+ *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
|
|
|
8b1478 |
|
|
|
8b1478 |
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
|
|
|
8b1478 |
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
|
|
|
8b1478 |
--
|
|
|
8b1478 |
1.8.3.1
|
|
|
8b1478 |
|