[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of
From: |
Paolo Bonzini |
Subject: |
[PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE |
Date: |
Mon, 8 Aug 2022 14:57:02 +0200 |
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
In scsi_disk_emulate_write_same() the number of host sectors to transfer is
calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to
copy data in block size chunks to the iov buffer.
Since the loop copying the data to the iov buffer uses a fixed increment of
s->qdev.blocksize then using a block size that isn't a multiple of
BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calculation
such that the iov buffer copy overflows the space allocated.
Update the iov buffer copy for() loop so that it will use the smallest of either
the current block size or the remaining transfer count to prevent the overflow.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/scsi-disk.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index f5cdb9ad4b..3027ac3b1e 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1849,7 +1849,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r,
uint8_t *inbuf)
uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
WriteSameCBData *data;
uint8_t *buf;
- int i;
+ int i, l;
/* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1. */
if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
@@ -1891,8 +1891,9 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r,
uint8_t *inbuf)
data->iov.iov_len);
qemu_iovec_init_external(&data->qiov, &data->iov, 1);
- for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
- memcpy(&buf[i], inbuf, s->qdev.blocksize);
+ for (i = 0; i < data->iov.iov_len; i += l) {
+ l = MIN(s->qdev.blocksize, data->iov.iov_len - i);
+ memcpy(&buf[i], inbuf, l);
}
scsi_req_ref(&r->req);
--
2.37.1
- [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Paolo Bonzini, 2022/08/08
- [PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE,
Paolo Bonzini <=
- [PULL 2/5] scsi-disk: ensure block size is non-zero and changes limited to bits 8-15, Paolo Bonzini, 2022/08/08
- [PULL 3/5] vl: fix [memory] section with -readconfig, Paolo Bonzini, 2022/08/08
- [PULL 5/5] tests/qtest: add scenario for -readconfig handling, Paolo Bonzini, 2022/08/08
- [PULL 4/5] vl: remove dead code in parse_memory_options(), Paolo Bonzini, 2022/08/08
- Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Thomas Huth, 2022/08/08
- Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Richard Henderson, 2022/08/08