[PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of

From:	Paolo Bonzini
Subject:	[PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE
Date:	Mon, 8 Aug 2022 14:57:02 +0200

From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

In scsi_disk_emulate_write_same() the number of host sectors to transfer is
calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to
copy data in block size chunks to the iov buffer.

Since the loop copying the data to the iov buffer uses a fixed increment of
s->qdev.blocksize then using a block size that isn't a multiple of
BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calculation
such that the iov buffer copy overflows the space allocated.

Update the iov buffer copy for() loop so that it will use the smallest of either
the current block size or the remaining transfer count to prevent the overflow.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/scsi-disk.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index f5cdb9ad4b..3027ac3b1e 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1849,7 +1849,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r, 
uint8_t *inbuf)
     uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
     WriteSameCBData *data;
     uint8_t *buf;
-    int i;
+    int i, l;
 
     /* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1.  */
     if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
@@ -1891,8 +1891,9 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r, 
uint8_t *inbuf)
                                               data->iov.iov_len);
     qemu_iovec_init_external(&data->qiov, &data->iov, 1);
 
-    for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
-        memcpy(&buf[i], inbuf, s->qdev.blocksize);
+    for (i = 0; i < data->iov.iov_len; i += l) {
+        l = MIN(s->qdev.blocksize, data->iov.iov_len - i);
+        memcpy(&buf[i], inbuf, l);
     }
 
     scsi_req_ref(&r->req);
-- 
2.37.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Paolo Bonzini, 2022/08/08
- [PULL 1/5] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE, Paolo Bonzini <=
- [PULL 2/5] scsi-disk: ensure block size is non-zero and changes limited to bits 8-15, Paolo Bonzini, 2022/08/08
- [PULL 3/5] vl: fix [memory] section with -readconfig, Paolo Bonzini, 2022/08/08
- [PULL 5/5] tests/qtest: add scenario for -readconfig handling, Paolo Bonzini, 2022/08/08
- [PULL 4/5] vl: remove dead code in parse_memory_options(), Paolo Bonzini, 2022/08/08
- Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Thomas Huth, 2022/08/08
  - Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Richard Henderson, 2022/08/08
  - Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Paolo Bonzini, 2022/08/11
- Re: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08, Richard Henderson, 2022/08/08

Prev by Date: Re: [PATCH] error handling: Use TFR() macro where applicable
Next by Date: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08
Previous by thread: [PULL 0/5] Misc QEMU 7.1 fixes for 2002-08-08
Next by thread: [PULL 2/5] scsi-disk: ensure block size is non-zero and changes limited to bits 8-15
Index(es):
- Date
- Thread