From patchwork Mon Jul 23 20:17:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Roth X-Patchwork-Id: 10541135 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1B98291E for ; Mon, 23 Jul 2018 21:41:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0B575285BE for ; Mon, 23 Jul 2018 21:41:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F36AE285C8; Mon, 23 Jul 2018 21:41:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9E18F285BE for ; Mon, 23 Jul 2018 21:41:44 +0000 (UTC) Received: from localhost ([::1]:36878 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fhiaN-00036I-Ra for patchwork-qemu-devel@patchwork.kernel.org; Mon, 23 Jul 2018 17:41:43 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43595) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fhhLL-0004Vl-5E for qemu-devel@nongnu.org; Mon, 23 Jul 2018 16:22:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fhhLJ-0005j6-Uj for qemu-devel@nongnu.org; Mon, 23 Jul 2018 16:22:07 -0400 Received: from mail-oi0-x244.google.com ([2607:f8b0:4003:c06::244]:38134) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fhhLJ-0005j0-PY; Mon, 23 Jul 2018 16:22:05 -0400 Received: by mail-oi0-x244.google.com with SMTP id v8-v6so3488085oie.5; Mon, 23 Jul 2018 13:22:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KHDB3ViD2usAI7nMTG5GgvqASHBvAf3zxB0DB0TVGx8=; b=M4JuyeT7keJ11O1MzygTgvzDIvxsyyGLNS008X3TAxIfxLBLOSxe4mvYVxVx5wcVZI jTyo+Dy1gMCRYUFrVMfn4CpJ7MsuOhjjhYvR7UJAhdeeXXYhWbo8lCvi+gL5B/VHcLrb qJZP4kt3ZcyoIeIdFS8dJfbPe1YQf57Ds0TWeEd4qtAX4lv11kuyNDMuUgeCyPYXoKe+ sxiKkFDC/iuAhoWuxpF5IbxX1v7FX+LA8/iCGBsb7RfzY8RdwTpj4YyUSlZllgCO2HqT Bkj0ATZek3ikY9dfx0pKAyHz+pWrAsnwRVD4+O1fXXQocHWa6Mtd+5XYltr1GR95ihTG dq8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=KHDB3ViD2usAI7nMTG5GgvqASHBvAf3zxB0DB0TVGx8=; b=EZQln9q2CPS8/tLy8qBXF3o38fC7sCsOIPo5JTXWknLWHpWKSpzlOfsorAHp6iRpF+ PEu8oTJKC49Atxg5Dd/5aWS3WMMiEu1L/bJo+mdQfJn6YyVKTHHxuTnUTpzyXLegq59n ybjmWPw8muPbEqxNU+vbahXL07ohWbD5tZ4asuxKJcGdIBftQYAtRHUE3TghffuI6F1N F2H5IYGaDviWxWY6qVU3zcyglosY+Ep30LjABCadpwvLEdiDWCCC8KvDifAayAPlOWE0 QhtxwbS0C5PoVrMi3CTR3WdtLRjrbII5vcFzANp+r9LBJWH7Lcy/s04jAo+eqpz0WyqQ gwrw== X-Gm-Message-State: AOUpUlEYrdaLRMe2gJM+lKjidNuAl5TEoaPFtReDmYwfAhRPfwgHWOze JI4PZ4YyphYH9xnKOnIYyvzjquOuz9g/iw== X-Google-Smtp-Source: AAOMgpeGMkvLPXjK0OFufner5LgJD8Zf9tc5H+pFc0fayqlbmv/8uVZ6A/l1rjmAVaFdGVLF8IiDVw== X-Received: by 2002:aca:a94c:: with SMTP id s73-v6mr323265oie.68.1532377324614; Mon, 23 Jul 2018 13:22:04 -0700 (PDT) Received: from localhost (76-251-165-188.lightspeed.austtx.sbcglobal.net. [76.251.165.188]) by smtp.gmail.com with ESMTPSA id s142-v6sm8878163oie.48.2018.07.23.13.22.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 23 Jul 2018 13:22:03 -0700 (PDT) From: Michael Roth To: qemu-devel@nongnu.org Date: Mon, 23 Jul 2018 15:17:43 -0500 Message-Id: <20180723201748.25573-95-mdroth@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180723201748.25573-1-mdroth@linux.vnet.ibm.com> References: <20180723201748.25573-1-mdroth@linux.vnet.ibm.com> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4003:c06::244 Subject: [Qemu-devel] [PATCH 94/99] iscsi: Avoid potential for get_status overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Blake Detected by Coverity: Multiplying two 32-bit int and assigning the result to a 64-bit number is a risk of overflow. Prior to the conversion to byte-based interfaces, the block layer took care of ensuring that a status request never exceeded 2G in the driver; but after that conversion, the block layer expects drivers to deal with any size request (the driver can always truncate the request size back down, as long as it makes progress). So, in the off-chance that someone makes a large request, we are at the mercy of whether iscsi_get_lba_status_task() will cap things to at most INT_MAX / iscsilun->block_size when it populates lbasd->num_blocks; since I could not easily audit that, it's better to be safe than sorry by just forcing a 64-bit multiply. Fixes: 92809c36 CC: qemu-stable@nongnu.org Signed-off-by: Eric Blake Message-Id: <20180508212718.1482663-1-eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé (cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0) Signed-off-by: Michael Roth --- block/iscsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/iscsi.c b/block/iscsi.c index f5aecfc883..871947feae 100644 --- a/block/iscsi.c +++ b/block/iscsi.c @@ -732,7 +732,7 @@ retry: goto out_unlock; } - *pnum = lbasd->num_blocks * iscsilun->block_size; + *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {