Hi,
On 13/11/24 20:16, Peter Xu wrote:
From: Dmitry Frolov <fro...@swemel.ru>
stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov <fro...@swemel.ru>
Link: https://lore.kernel.org/r/20241113140509.325732-2-fro...@swemel.ru
Signed-off-by: Peter Xu <pet...@redhat.com>
---
migration/multifd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/migration/multifd.c b/migration/multifd.c
index 4374e14a96..498e71fd10 100644
--- a/migration/multifd.c
+++ b/migration/multifd.c
@@ -623,7 +623,7 @@ static void *multifd_send_thread(void *opaque)
}
stat64_add(&mig_stats.multifd_bytes,
- p->next_packet_size + p->packet_len);
+ (uint64_t)p->next_packet_size + p->packet_len);
I am not familiar with this area, but quickly looking I can't
find a code path accepting 4GiB payload, so IMHO this hypothetical
case is not unreachable. My 2 cents (I'm not objecting on this
"silence this warning" patch).
p->next_packet_size = 0;
multifd_set_payload_type(p->data, MULTIFD_PAYLOAD_NONE);
