block

block: vpc - prevent overflow if max_table_entries >= 0x40000000

Jeff Cody authored Jul 24, 2015 and Michael Roth committed Jul 30, 2015

When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000.  So during this allocation:

s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

The size arg overflows, allocating significantly less memory than
expected.

Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.

The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.

We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

Cc: qemu-stable@nongnu.org
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b15deac7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

358f0ee2

History

358f0ee2 Jul 24, 2015

History

Code owners

Assign users and groups as approvers for specific file changes. Learn more.

Name	Last commit	Last update
..
Makefile.objs
accounting.c
archipelago.c
backup.c
blkdebug.c
blkverify.c
block-backend.c
bochs.c
cloop.c
commit.c
curl.c
dmg.c
gluster.c
iscsi.c
linux-aio.c
mirror.c
nbd-client.c
nbd-client.h
nbd.c
nfs.c
null.c
parallels.c
qapi.c
qcow.c
qcow2-cache.c
qcow2-cluster.c
qcow2-refcount.c
qcow2-snapshot.c
qcow2.c
qcow2.h
qed-check.c
qed-cluster.c
qed-gencb.c
qed-l2-cache.c
qed-table.c
qed.c
qed.h
quorum.c
raw-aio.h
raw-posix.c
raw-win32.c
raw_bsd.c
rbd.c
sheepdog.c
snapshot.c
ssh.c
stream.c
vdi.c
vhdx-endian.c
vhdx-log.c
vhdx.c
vhdx.h
vmdk.c
vpc.c
vvfat.c
win32-aio.c
write-threshold.c

Admin message

block