|
 |
958e1b |
From 62ba92f33f1d727cff17f5d1b38fabfe0901f7ee Mon Sep 17 00:00:00 2001
|
|
|
958e1b |
From: Luiz Capitulino <lcapitulino@redhat.com>
|
|
|
958e1b |
Date: Tue, 30 Sep 2014 01:08:31 +0200
|
|
|
958e1b |
Subject: [PATCH 3/3] virtio-balloon: fix integer overflow in memory stats
|
|
|
958e1b |
feature
|
|
|
958e1b |
|
|
|
958e1b |
Message-id: <20140929210831.1cc65ebe@redhat.com>
|
|
|
958e1b |
Patchwork-id: 61504
|
|
|
958e1b |
O-Subject: [RHEL7.1 qemu-kvm PATCH] virtio-balloon: fix integer overflow in memory stats feature
|
|
|
958e1b |
Bugzilla: 1142290
|
|
|
958e1b |
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
|
|
|
958e1b |
RH-Acked-by: Juan Quintela <quintela@redhat.com>
|
|
|
958e1b |
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
|
|
|
958e1b |
|
|
|
958e1b |
When a QMP client changes the polling interval time by setting
|
|
|
958e1b |
the guest-stats-polling-interval property, the interval value
|
|
|
958e1b |
is stored and manipulated as an int64_t variable.
|
|
|
958e1b |
|
|
|
958e1b |
However, the balloon_stats_change_timer() function, which is
|
|
|
958e1b |
used to set the actual timer with the interval value, takes
|
|
|
958e1b |
an int instead, causing an overflow for big interval values.
|
|
|
958e1b |
|
|
|
958e1b |
This commit fix this bug by changing balloon_stats_change_timer()
|
|
|
958e1b |
to take an int64_t and also it limits the polling interval value
|
|
|
958e1b |
to UINT_MAX to avoid other kinds of overflow.
|
|
|
958e1b |
|
|
|
958e1b |
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
|
958e1b |
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
|
958e1b |
Reviewed-by: Markus Armbruster <armbru@redhat.com>
|
|
|
958e1b |
(cherry picked from commit 1f9296b51a26650916a2c4191268bb64057bdc5f)
|
|
|
958e1b |
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
|
958e1b |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
958e1b |
---
|
|
|
958e1b |
hw/virtio/virtio-balloon.c | 7 ++++++-
|
|
|
958e1b |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
958e1b |
|
|
|
958e1b |
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
|
|
|
958e1b |
index 76c607f..016dc60 100644
|
|
|
958e1b |
--- a/hw/virtio/virtio-balloon.c
|
|
|
958e1b |
+++ b/hw/virtio/virtio-balloon.c
|
|
|
958e1b |
@@ -85,7 +85,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon *s)
|
|
|
958e1b |
}
|
|
|
958e1b |
}
|
|
|
958e1b |
|
|
|
958e1b |
-static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
|
|
|
958e1b |
+static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
|
|
|
958e1b |
{
|
|
|
958e1b |
qemu_mod_timer(s->stats_timer, qemu_get_clock_ms(vm_clock) + secs * 1000);
|
|
|
958e1b |
}
|
|
|
958e1b |
@@ -154,6 +154,11 @@ static void balloon_stats_set_poll_interval(Object *obj, struct Visitor *v,
|
|
|
958e1b |
return;
|
|
|
958e1b |
}
|
|
|
958e1b |
|
|
|
958e1b |
+ if (value > UINT_MAX) {
|
|
|
958e1b |
+ error_setg(errp, "timer value is too big");
|
|
|
958e1b |
+ return;
|
|
|
958e1b |
+ }
|
|
|
958e1b |
+
|
|
|
958e1b |
if (value == s->stats_poll_interval) {
|
|
|
958e1b |
return;
|
|
|
958e1b |
}
|
|
|
958e1b |
--
|
|
|
958e1b |
1.8.3.1
|
|
|
958e1b |
|