Tree - rpms/qemu-kvm - CentOS Git server

rpms / qemu-kvm

Files

Commit: 016a62c3030ac231d046c30c7031551faf64712a
Blob Blame History Raw
From 242abde4b0152142787bd3200de5cc35863da59a Mon Sep 17 00:00:00 2001
From: jmaloy <jmaloy@redhat.com>
Date: Wed, 29 Jan 2020 21:41:14 +0000
Subject: [PATCH 1/6] iscsi: Avoid potential for get_status overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: jmaloy <jmaloy@redhat.com>
Message-id: <20200129214115.19979-2-jmaloy@redhat.com>
Patchwork-id: 93587
O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 1/2] iscsi: Avoid potential for get_status overflow
Bugzilla: 1794501
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

From: Eric Blake <eblake@redhat.com>

Detected by Coverity: Multiplying two 32-bit int and assigning
the result to a 64-bit number is a risk of overflow.  Prior to
the conversion to byte-based interfaces, the block layer took
care of ensuring that a status request never exceeded 2G in
the driver; but after that conversion, the block layer expects
drivers to deal with any size request (the driver can always
truncate the request size back down, as long as it makes
progress).  So, in the off-chance that someone makes a large
request, we are at the mercy of whether iscsi_get_lba_status_task()
will cap things to at most INT_MAX / iscsilun->block_size when
it populates lbasd->num_blocks; since I could not easily audit
that, it's better to be safe than sorry by just forcing a 64-bit
multiply.

Fixes: 92809c36
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20180508212718.1482663-1-eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 block/iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index c412b12..336ce49 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -734,7 +734,7 @@ retry:
         goto out_unlock;
     }
 
-    *pnum = lbasd->num_blocks * iscsilun->block_size;
+    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
 
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
-- 
1.8.3.1
rpms / qemu-kvm

Source Code

Files
