[PULL,2/2] migration: fix-possible-int-overflow

Message ID	20241113201631.2920541-3-peterx@redhat.com (mailing list archive)
State	New
Headers	show Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> From: Peter Xu <peterx@redhat.com> To: qemu-devel@nongnu.org Cc: Peter Maydell <peter.maydell@linaro.org>, peterx@redhat.com, Fabiano Rosas <farosas@suse.de>, Dmitry Frolov <frolov@swemel.ru> Subject: [PULL 2/2] migration: fix-possible-int-overflow Date: Wed, 13 Nov 2024 15:16:31 -0500 Message-ID: <20241113201631.2920541-3-peterx@redhat.com> In-Reply-To: <20241113201631.2920541-1-peterx@redhat.com> References: <20241113201631.2920541-1-peterx@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.129.124; envelope-from=peterx@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -29 X-Spam_score: -3.0 X-Spam_bar: --- X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.119, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.738, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Series	[PULL,1/2] migration: Check current_migration in migration_is_running() \| expand [PULL,1/2] migration: Check current_migration in migration_is_running() [PULL,2/2] migration: fix-possible-int-overflow

Message ID

20241113201631.2920541-3-peterx@redhat.com (mailing list archive)

State

New

Headers

From: Peter Xu <peterx@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>, peterx@redhat.com,
 Fabiano Rosas <farosas@suse.de>, Dmitry Frolov <frolov@swemel.ru>
Subject: [PULL 2/2] migration: fix-possible-int-overflow
Date: Wed, 13 Nov 2024 15:16:31 -0500
Message-ID: <20241113201631.2920541-3-peterx@redhat.com>
In-Reply-To: <20241113201631.2920541-1-peterx@redhat.com>
References: <20241113201631.2920541-1-peterx@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=170.10.129.124; envelope-from=peterx@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -29
X-Spam_score: -3.0
X-Spam_bar: ---
X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.119,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.738,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org

Series

[PULL,1/2] migration: Check current_migration in migration_is_running() | expand

Commit Message

Peter Xu Nov. 13, 2024, 8:16 p.m. UTC

From: Dmitry Frolov <frolov@swemel.ru>

stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Link: https://lore.kernel.org/r/20241113140509.325732-2-frolov@swemel.ru
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/multifd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Philippe Mathieu-Daudé Nov. 13, 2024, 8:40 p.m. UTC | #1

Hi,

On 13/11/24 20:16, Peter Xu wrote:
> From: Dmitry Frolov <frolov@swemel.ru>
> 
> stat64_add() takes uint64_t as 2nd argument, but both
> "p->next_packet_size" and "p->packet_len" are uint32_t.
> Thus, theyr sum may overflow uint32_t.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> Link: https://lore.kernel.org/r/20241113140509.325732-2-frolov@swemel.ru
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>   migration/multifd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/migration/multifd.c b/migration/multifd.c
> index 4374e14a96..498e71fd10 100644
> --- a/migration/multifd.c
> +++ b/migration/multifd.c
> @@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
>               }
>   
>               stat64_add(&mig_stats.multifd_bytes,
> -                       p->next_packet_size + p->packet_len);
> +                       (uint64_t)p->next_packet_size + p->packet_len);

I am not familiar with this area, but quickly looking I can't
find a code path accepting 4GiB payload, so IMHO this hypothetical
case is not unreachable. My 2 cents (I'm not objecting on this
"silence this warning" patch).

>   
>               p->next_packet_size = 0;
>               multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);

Peter Xu Nov. 13, 2024, 9:17 p.m. UTC | #2

On Wed, Nov 13, 2024 at 09:40:50PM +0100, Philippe Mathieu-Daudé wrote:
> Hi,
> 
> On 13/11/24 20:16, Peter Xu wrote:
> > From: Dmitry Frolov <frolov@swemel.ru>
> > 
> > stat64_add() takes uint64_t as 2nd argument, but both
> > "p->next_packet_size" and "p->packet_len" are uint32_t.
> > Thus, theyr sum may overflow uint32_t.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
> > Link: https://lore.kernel.org/r/20241113140509.325732-2-frolov@swemel.ru
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> > ---
> >   migration/multifd.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/migration/multifd.c b/migration/multifd.c
> > index 4374e14a96..498e71fd10 100644
> > --- a/migration/multifd.c
> > +++ b/migration/multifd.c
> > @@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
> >               }
> >               stat64_add(&mig_stats.multifd_bytes,
> > -                       p->next_packet_size + p->packet_len);
> > +                       (uint64_t)p->next_packet_size + p->packet_len);
> 
> I am not familiar with this area, but quickly looking I can't
> find a code path accepting 4GiB payload, so IMHO this hypothetical
> case is not unreachable. My 2 cents (I'm not objecting on this
> "silence this warning" patch).

Thanks Phil, for taking an extra eye.

Yes, the solo goal is probably to silent it, if that helps anyone at all.
I left similar comment when replying to Dmitry when queuing this.

If it could overflow, we have more troubles, e.g., we have plenty of places
caching these values in 32bits.  When this overflow could happen, we should
simply switch everything to 64bit..

> 
> >               p->next_packet_size = 0;
> >               multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);
>

diff --git a/migration/multifd.c b/migration/multifd.c
index 4374e14a96..498e71fd10 100644
--- a/migration/multifd.c
+++ b/migration/multifd.c
@@ -623,7 +623,7 @@  static void *multifd_send_thread(void *opaque)
             }
 
             stat64_add(&mig_stats.multifd_bytes,
-                       p->next_packet_size + p->packet_len);
+                       (uint64_t)p->next_packet_size + p->packet_len);
 
             p->next_packet_size = 0;
             multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);

[PULL,2/2] migration: fix-possible-int-overflow

Commit Message

Comments

Patch