projects / qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ea9cdbc)
hw/block: fix uint32 overflow
authorDmitry Frolov <frolov@swemel.ru>
Tue, 17 Sep 2024 08:03:18 +0000 (11:03 +0300)
committerStefan Hajnoczi <stefanha@redhat.com>
Tue, 17 Sep 2024 10:12:30 +0000 (12:12 +0200)
The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
uint32.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-id: 20240917080356.270576-2-frolov@swemel.ru
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
hw/block/virtio-blk.c patch | blob | history

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 73bdfd6122ac7673757a0be2a3649c7629600521..115795392c491384735736b551f43805238a3d7a 100644 (file)
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -700,7 +700,7 @@ static int virtio_blk_handle_zone_mgmt(VirtIOBlockReq *req, BlockZoneOp op)
     } else {
         if (bs->bl.zone_size > capacity - offset) {
             /* The zoned device allows the last smaller zone. */
-            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1);
+            len = capacity - bs->bl.zone_size * (bs->bl.nr_zones - 1ull);
         } else {
             len = bs->bl.zone_size;
         }
Unnamed repository; edit this file 'description' to name the repository.