falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/block
History
Jeff Cody 358f0ee234 block: vpc - prevent overflow if max_table_entries >= 0x40000000 
When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000.  So during this allocation:

s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

The size arg overflows, allocating significantly less memory than
expected.

Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.

The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.

We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

Cc: qemu-stable@nongnu.org
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b15deac795)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2015-07-29 22:16:01 -05:00
..
Makefile.objs block/dmg: support bzip2 block entry types 2015-02-06 17:24:21 +01:00
accounting.c block: add accounting for merged requests 2015-02-06 17:24:21 +01:00
archipelago.c block: remove superfluous '\n' around error_report/error_setg 2015-03-10 08:15:33 +03:00
backup.c qmp: Add command 'blockdev-backup' 2015-01-13 11:47:56 +00:00
blkdebug.c blkdebug: fix "once" rule 2015-03-10 14:02:21 +01:00
blkverify.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
block-backend.c block-backend: Add wrappers for blocksizes and geometry probing 2015-03-10 14:02:22 +01:00
bochs.c block: Use g_new() & friends to avoid multiplying sizes 2014-08-20 11:51:28 +02:00
cloop.c cloop: Handle failure for potentially large allocations 2014-08-15 15:07:15 +02:00
commit.c block: let commit blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
curl.c block/curl: Improve type safety of s->timeout. 2014-11-03 11:41:47 +00:00
dmg.c block/dmg: improve zeroes handling 2015-02-06 17:24:21 +01:00
gluster.c block: don't convert file size to sector size 2014-09-12 15:43:06 +02:00
iscsi.c block/iscsi: do not forget to logout from target 2015-07-28 18:08:49 -05:00
linux-aio.c linux-aio: simplify removal of completed iocbs from the list 2014-12-12 16:57:55 +00:00
mirror.c mirror: Do zero write on target if sectors not allocated 2015-07-29 21:46:07 -05:00
nbd-client.c nbd: Set block size to BDRV_SECTOR_SIZE 2015-03-18 12:07:01 +01:00
nbd-client.h nbd: Set block size to BDRV_SECTOR_SIZE 2015-03-18 12:07:01 +01:00
nbd.c nbd: Fix nbd_establish_connection()'s return value 2015-03-18 12:05:38 +01:00
nfs.c block/nfs: limit maximum readahead size to 1MB 2015-07-29 21:46:36 -05:00
null.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
parallels.c block/parallels: fix access to not initialized memory in catalog_bitmap 2014-11-03 09:48:41 +00:00
qapi.c block/qapi: Fix Sparse warning 2015-03-19 11:11:55 +03:00
qcow.c block: fix off-by-one error in qcow and qcow2 2015-02-06 17:24:21 +01:00
qcow2-cache.c block: Give always priority to unused entries in the qcow2 L2 cache 2015-02-06 17:24:22 +01:00
qcow2-cluster.c qcow2: Use 64 bits for refcount values 2015-03-10 14:02:21 +01:00
qcow2-refcount.c qcow2: Flush pending discards before allocating cluster 2015-07-28 18:19:33 -05:00
qcow2-snapshot.c qcow2: fix the macro QCOW_MAX_L1_SIZE's use 2015-03-12 17:41:23 +00:00
qcow2.c qcow2: Fix header update with overridden backing file 2015-04-08 10:29:20 +01:00
qcow2.h qcow2: Set MIN_L2_CACHE_SIZE to 2 2015-07-29 18:26:34 -05:00
qed-check.c block: Use g_new() & friends to avoid multiplying sizes 2014-08-20 11:51:28 +02:00
qed-cluster.c
qed-gencb.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
qed-l2-cache.c
qed-table.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
qed.c qed: check for header size overflow 2015-02-06 17:24:21 +01:00
qed.h qed: Really remove unused field QEDAIOCB.finished 2015-02-06 17:24:21 +01:00
quorum.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
raw-aio.h linux-aio: drop return code from laio_io_unplug and ioq_submit 2014-12-12 16:57:55 +00:00
raw-posix.c raw-posix: Deprecate aio=threads fallback without O_DIRECT 2015-03-19 12:30:56 +01:00
raw-win32.c block: Remove "growable" from BDS 2015-02-16 15:07:19 +00:00
raw_bsd.c block: Add driver methods to probe blocksizes and geometry 2015-03-10 14:02:22 +01:00
rbd.c block/rbd: fix memory leak 2014-12-12 13:16:56 +00:00
sheepdog.c sheepdog: Fix misleading error messages in sd_snapshot_create() 2015-03-10 14:02:24 +01:00
snapshot.c snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem 2014-11-03 09:48:42 +00:00
ssh.c ssh: Don't crash if either host or path is not specified. 2014-10-03 10:30:33 +01:00
stream.c block: let stream blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
vdi.c block/vdi: Add locking for parallel requests 2015-03-10 14:02:24 +01:00
vhdx-endian.c block: VHDX endian fixes 2014-08-15 15:07:14 +02:00
vhdx-log.c block: Drop some superfluous casts from void * 2014-08-20 11:51:28 +02:00
vhdx.c block: vhdx - force FileOffsetMB field to '0' for certain block states 2015-01-23 12:41:32 -05:00
vhdx.h block: vhdx - update PAYLOAD_BLOCK_UNMAPPED value to match 1.00 spec 2014-12-12 15:42:22 +00:00
vmdk.c vmdk: Use vmdk_find_index_in_cluster everywhere 2015-07-29 18:33:01 -05:00
vpc.c block: vpc - prevent overflow if max_table_entries >= 0x40000000 2015-07-29 22:16:01 -05:00
vvfat.c QemuOpts: Drop qemu_opt_set(), rename qemu_opt_set_err(), fix use 2015-02-26 14:49:31 +01:00
win32-aio.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
write-threshold.c block: Fix block-set-write-threshold not to use funky error class 2015-03-16 17:07:25 +01:00