yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch

016a62
From 242abde4b0152142787bd3200de5cc35863da59a Mon Sep 17 00:00:00 2001
d8ab4a
From: jmaloy <jmaloy@redhat.com>
016a62
Date: Wed, 29 Jan 2020 21:41:14 +0000
016a62
Subject: [PATCH 1/6] iscsi: Avoid potential for get_status overflow
d8ab4a
MIME-Version: 1.0
d8ab4a
Content-Type: text/plain; charset=UTF-8
d8ab4a
Content-Transfer-Encoding: 8bit
d8ab4a
d8ab4a
RH-Author: jmaloy <jmaloy@redhat.com>
016a62
Message-id: <20200129214115.19979-2-jmaloy@redhat.com>
016a62
Patchwork-id: 93587
016a62
O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 1/2] iscsi: Avoid potential for get_status overflow
016a62
Bugzilla: 1794501
d8ab4a
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
d8ab4a
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
d8ab4a
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
d8ab4a
d8ab4a
From: Eric Blake <eblake@redhat.com>
d8ab4a
d8ab4a
Detected by Coverity: Multiplying two 32-bit int and assigning
d8ab4a
the result to a 64-bit number is a risk of overflow.  Prior to
d8ab4a
the conversion to byte-based interfaces, the block layer took
d8ab4a
care of ensuring that a status request never exceeded 2G in
d8ab4a
the driver; but after that conversion, the block layer expects
d8ab4a
drivers to deal with any size request (the driver can always
d8ab4a
truncate the request size back down, as long as it makes
d8ab4a
progress).  So, in the off-chance that someone makes a large
d8ab4a
request, we are at the mercy of whether iscsi_get_lba_status_task()
d8ab4a
will cap things to at most INT_MAX / iscsilun->block_size when
d8ab4a
it populates lbasd->num_blocks; since I could not easily audit
d8ab4a
that, it's better to be safe than sorry by just forcing a 64-bit
d8ab4a
multiply.
d8ab4a
d8ab4a
Fixes: 92809c36
d8ab4a
CC: qemu-stable@nongnu.org
d8ab4a
Signed-off-by: Eric Blake <eblake@redhat.com>
d8ab4a
Message-Id: <20180508212718.1482663-1-eblake@redhat.com>
d8ab4a
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
d8ab4a
(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0)
d8ab4a
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
d8ab4a
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
d8ab4a
---
d8ab4a
 block/iscsi.c | 2 +-
d8ab4a
 1 file changed, 1 insertion(+), 1 deletion(-)
d8ab4a
d8ab4a
diff --git a/block/iscsi.c b/block/iscsi.c
d8ab4a
index c412b12..336ce49 100644
d8ab4a
--- a/block/iscsi.c
d8ab4a
+++ b/block/iscsi.c
d8ab4a
@@ -734,7 +734,7 @@ retry:
d8ab4a
         goto out_unlock;
d8ab4a
     }
d8ab4a
 
d8ab4a
-    *pnum = lbasd->num_blocks * iscsilun->block_size;
d8ab4a
+    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
d8ab4a
 
d8ab4a
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
d8ab4a
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
d8ab4a
-- 
d8ab4a
1.8.3.1
d8ab4a