git.ipfire.org Git - thirdparty/qemu.git/commit

author	Jeff Cody <jcody@redhat.com>
	Fri, 24 Jul 2015 14:26:51 +0000 (10:26 -0400)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 30 Jul 2015 03:16:01 +0000 (22:16 -0500)
commit	358f0ee234d1fcaf7b0ff6e830d83821c3c44c56
tree	10e38c5d6fb5b2821306d3bf3d0e3e4e08f1616f	tree
parent	961c74a841ae6d2ef03f6684c9f74fbdf8f472b1	commit \| diff

block: vpc - prevent overflow if max_table_entries >= 0x40000000

When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000. So during this allocation:

s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

The size arg overflows, allocating significantly less memory than
expected.

Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.

The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.

We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

Cc: qemu-stable@nongnu.org
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b15deac79530d818092cb49a8021bcce83d71b5b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>