On Fri, May 13, 2022 at 04:57:45PM +0100, Alberto Faria wrote:
> For consistency with other I/O functions, and in preparation to
> implement bdrv_{pread,pwrite}() using generated_co_wrapper.
>
> unsigned int fits in int64_t, so all callers remain correct.
However, future callers that pass in something larger than unsigned int...
> +++ b/include/block/block_int-io.h
> @@ -56,7 +56,7 @@ int coroutine_fn bdrv_co_pwritev_part(BdrvChild *child,
> QEMUIOVector *qiov, size_t qiov_offset, BdrvRequestFlags flags);
>
> static inline int coroutine_fn bdrv_co_pread(BdrvChild *child,
> - int64_t offset, unsigned int bytes, void *buf, BdrvRequestFlags flags)
> + int64_t offset, int64_t bytes, void *buf, BdrvRequestFlags flags)
> {
> QEMUIOVector qiov = QEMU_IOVEC_INIT_BUF(qiov, buf, bytes);
...now end up calling QEMU_IOVEC_INIT_BUF() which tries to do
.local_iov.iov_len = bytes, which can silently overflow on 32-bit
platforms where iov_len is size_t. We need to add a code guard that
callers do not pass in too large of a buffer.
> IO_CODE();
> @@ -65,7 +65,7 @@ static inline int coroutine_fn bdrv_co_pread(BdrvChild
> *child,
> }
>
> static inline int coroutine_fn bdrv_co_pwrite(BdrvChild *child,
> - int64_t offset, unsigned int bytes, const void *buf, BdrvRequestFlags
> flags)
> + int64_t offset, int64_t bytes, const void *buf, BdrvRequestFlags flags)
> {
> QEMUIOVector qiov = QEMU_IOVEC_INIT_BUF(qiov, buf, bytes);
Here as well.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
