From 5d61b8b267cb1d529681fd88a4538c8eee408812 Mon Sep 17 00:00:00 2001 From: jmaloy Date: Wed, 29 Jan 2020 18:47:14 +0100 Subject: [PATCH 1/2] iscsi: Avoid potential for get_status overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: jmaloy Message-id: <20200129184715.18876-2-jmaloy@redhat.com> Patchwork-id: 93577 O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/2] iscsi: Avoid potential for get_status overflow Bugzilla: 1794499 1794505 RH-Acked-by: Kevin Wolf RH-Acked-by: Eduardo Habkost RH-Acked-by: Philippe Mathieu-Daudé From: Eric Blake Detected by Coverity: Multiplying two 32-bit int and assigning the result to a 64-bit number is a risk of overflow. Prior to the conversion to byte-based interfaces, the block layer took care of ensuring that a status request never exceeded 2G in the driver; but after that conversion, the block layer expects drivers to deal with any size request (the driver can always truncate the request size back down, as long as it makes progress). So, in the off-chance that someone makes a large request, we are at the mercy of whether iscsi_get_lba_status_task() will cap things to at most INT_MAX / iscsilun->block_size when it populates lbasd->num_blocks; since I could not easily audit that, it's better to be safe than sorry by just forcing a 64-bit multiply. Fixes: 92809c36 CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake Message-Id: <20180508212718.1482663-1-eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé (cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0) Signed-off-by: Jon Maloy Signed-off-by: Miroslav Rezanina --- block/iscsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/iscsi.c b/block/iscsi.c index c412b12..336ce49 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -734,7 +734,7 @@ retry: goto out_unlock; } - *pnum = lbasd->num_blocks * iscsilun->block_size; + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { -- 1.8.3.1