| Message ID | 20240917080356.270576-2-frolov@swemel.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | hw/block: fix uint32 overflow | expand |
On Tue, Sep 17, 2024 at 11:03:18AM +0300, Dmitry Frolov wrote: > The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow > uint32. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Dmitry Frolov <frolov@swemel.ru> > --- > hw/block/virtio-blk.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Thanks, applied to my block tree: https://gitlab.com/stefanha/qemu/commits/block Stefan
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c index 73bdfd6122..115795392c 100644 --- a/hw/block/virtio-blk.c +++ b/hw/block/virtio-blk.c @@ -700,7 +700,7 @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op) } else { if (bs->bl.zone_size > capacity - offset) { /* The zoned device allows the last smaller zone. */ - len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1); + len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull); } else { len = bs->bl.zone_size; }
The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow uint32. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Frolov <frolov@swemel.ru> --- hw/block/virtio-blk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)