[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 54a53a: scsi-disk: fix overflow when block si
|
From: |
Richard Henderson |
|
Subject: |
[Qemu-commits] [qemu/qemu] 54a53a: scsi-disk: fix overflow when block size is not a m... |
|
Date: |
Mon, 08 Aug 2022 11:30:04 -0700 |
Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 54a53a006ed9c1fe027fd89045d6de1e9128d7f4
https://github.com/qemu/qemu/commit/54a53a006ed9c1fe027fd89045d6de1e9128d7f4
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2022-08-01 (Mon, 01 Aug 2022)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE
In scsi_disk_emulate_write_same() the number of host sectors to transfer is
calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to
copy data in block size chunks to the iov buffer.
Since the loop copying the data to the iov buffer uses a fixed increment of
s->qdev.blocksize then using a block size that isn't a multiple of
BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calculation
such that the iov buffer copy overflows the space allocated.
Update the iov buffer copy for() loop so that it will use the smallest of either
the current block size or the remaining transfer count to prevent the overflow.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 55794c904df723109b228da28b5db778e0df3110
https://github.com/qemu/qemu/commit/55794c904df723109b228da28b5db778e0df3110
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2022-08-01 (Mon, 01 Aug 2022)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: ensure block size is non-zero and changes limited to bits 8-15
The existing code assumes that the block size can be generated from p[1] << 8
in multiple places which ignores the top and bottom 8 bits. If the block size
is allowed to be set to an arbitrary value then this causes a mismatch
between the value written by the guest in the block descriptor and the value
subsequently read back using READ CAPACITY causing the guest to generate
requests that can crash QEMU.
For now restrict block size changes to bits 8-15 and also ignore requests to
set the block size to 0 which causes the SCSI emulation to crash in at least
one place with a divide by zero error.
Fixes: 356c4c441e ("scsi-disk: allow MODE SELECT block descriptor to set the
block size")
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1112
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20220730122656.253448-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: e12f0685e8f6ee57a00d3f304023665aa0e02b8c
https://github.com/qemu/qemu/commit/e12f0685e8f6ee57a00d3f304023665aa0e02b8c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2022-08-08 (Mon, 08 Aug 2022)
Changed paths:
M softmmu/vl.c
Log Message:
-----------
vl: fix [memory] section with -readconfig
The -M memory.* options do not have magic applied to them like the -m
option, namely no "M" (for mebibytes) is tacked at the end of a suffixless
value for "-M memory.size".
This magic is performed by parse_memory_options, and we have to do it for
both "-m" and the [memory] section of a config file. Storing [memory]
sections directly to machine_opts_dict changed the meaning of
[memory]
size = "1024"
in a -readconfig file from 1024MiB to 8KiB (1024 Bytes rounded up to
8KiB silently). To avoid this, the [memory] section has to be changed
back to QemuOpts (combining [memory] and "-m" will work fine thanks to
.merge_lists being true).
Change parse_memory_options() so that, similar to the older function
set_memory_options(), it operates after command line parsing is done;
and also call it where set_memory_options() used to be.
Note, the parsing code uses exit(1) instead of exit(EXIT_FAILURE) to
match neighboring code.
Reported-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Fixes: ce9d03fb3f ("machine: add mem compound property", 2022-05-12)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 69c05a23787e9f5cdddbf3688c2e309a92a20af4
https://github.com/qemu/qemu/commit/69c05a23787e9f5cdddbf3688c2e309a92a20af4
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2022-08-08 (Mon, 08 Aug 2022)
Changed paths:
M softmmu/vl.c
Log Message:
-----------
vl: remove dead code in parse_memory_options()
mem_str will never be an empty string, because qemu_opt_get_size() fails
if it encounters one:
$ ./qemu-system-x86_64 -m size=
qemu-system-x86_64: -m size=: Parameter size expects a non-negative number
below 2^64
Optional suffix k, M, G, T, P or E means kilo-, mega-, giga-, tera-, peta-
and exabytes, respectively.
Suggested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: f6a5f380627ab2af384bf2f2940d29386dea11ff
https://github.com/qemu/qemu/commit/f6a5f380627ab2af384bf2f2940d29386dea11ff
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2022-08-08 (Mon, 08 Aug 2022)
Changed paths:
M tests/qtest/meson.build
A tests/qtest/readconfig-test.c
Log Message:
-----------
tests/qtest: add scenario for -readconfig handling
This test of -readconfig validates the last three regressions we
have fixed with -readconfig:
* Interpretation of memory size units as MiB not bytes
* Allow use of [spice]
* Allow use of [object]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220805115529.124544-2-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit: 8a1337e60400ef54432e063164faf5043a55555d
https://github.com/qemu/qemu/commit/8a1337e60400ef54432e063164faf5043a55555d
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2022-08-08 (Mon, 08 Aug 2022)
Changed paths:
M hw/scsi/scsi-disk.c
M softmmu/vl.c
M tests/qtest/meson.build
A tests/qtest/readconfig-test.c
Log Message:
-----------
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* Fix and tests for -readconfig
* Fixes for changeable block size
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmLxB6wUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMbgQgAmj38xh/KurUvjAwlki9OF+jIXem/
# r7eHtc6wG/dGN7CyL+EK08c2GfPIphhii3JGfLT3P/xHvHRVgYow2AELNvYSG85M
# SBQGfDsHLoKvY6Wni3AolECvtGycXkd30RtrzqdTT8iZyIhTTsikEG2hSgE+Z6Yy
# 9XGPHN9puTkkD5HYnDV1+T4+yc28F8UTVob3fv9b7LMH7mSYz7UN5Tw4zB7DjOL1
# JNTuYqW9JN1X1vIYKxYw9Y5Jb3qNjnl8y6if8bPuvrLRw94sd0ax23yEQHwtgcUj
# cYGcvZ2/X0SQg4AHTsqGJCuffKNDfHhmmA7w0Xb2DEvBvoveYOaDp3dKZQ==
# =L9FI
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 08 Aug 2022 05:55:08 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [undefined]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
tests/qtest: add scenario for -readconfig handling
vl: remove dead code in parse_memory_options()
vl: fix [memory] section with -readconfig
scsi-disk: ensure block size is non-zero and changes limited to bits 8-15
scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Compare: https://github.com/qemu/qemu/compare/0b86b4e0dabb...8a1337e60400
- [Qemu-commits] [qemu/qemu] 54a53a: scsi-disk: fix overflow when block size is not a m...,
Richard Henderson <=