aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>2020-12-11 21:39:20 +0300
committerEric Blake <eblake@redhat.com>2021-02-03 08:00:33 -0600
commit4c002cef0e9abe7135d7916c51abce47f7fc1ee2 (patch)
treecd2bfc6b897f859e5c26f9c3b761c540a20f97cf
parent69b55e03f7e65a36eb954d0b7d4698b258df2708 (diff)
downloadqemu-4c002cef0e9abe7135d7916c51abce47f7fc1ee2.zip
qemu-4c002cef0e9abe7135d7916c51abce47f7fc1ee2.tar.gz
qemu-4c002cef0e9abe7135d7916c51abce47f7fc1ee2.tar.bz2
util/iov: make qemu_iovec_init_extended() honest
Actually, we can't extend the io vector in all cases. Handle possible MAX_IOV and size_t overflows. For now add assertion to callers (actually they rely on success anyway) and fix them in the following patch. Add also some additional good assertions to qemu_iovec_init_slice() while being here. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Message-Id: <20201211183934.169161-3-vsementsov@virtuozzo.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
-rw-r--r--block/io.c10
-rw-r--r--include/qemu/iov.h2
-rw-r--r--util/iov.c25
3 files changed, 31 insertions, 6 deletions
diff --git a/block/io.c b/block/io.c
index 23abdae..ab953bd 100644
--- a/block/io.c
+++ b/block/io.c
@@ -1680,13 +1680,17 @@ static bool bdrv_pad_request(BlockDriverState *bs,
int64_t *offset, unsigned int *bytes,
BdrvRequestPadding *pad)
{
+ int ret;
+
if (!bdrv_init_padding(bs, *offset, *bytes, pad)) {
return false;
}
- qemu_iovec_init_extended(&pad->local_qiov, pad->buf, pad->head,
- *qiov, *qiov_offset, *bytes,
- pad->buf + pad->buf_len - pad->tail, pad->tail);
+ ret = qemu_iovec_init_extended(&pad->local_qiov, pad->buf, pad->head,
+ *qiov, *qiov_offset, *bytes,
+ pad->buf + pad->buf_len - pad->tail,
+ pad->tail);
+ assert(ret == 0);
*bytes += pad->head + pad->tail;
*offset -= pad->head;
*qiov = &pad->local_qiov;
diff --git a/include/qemu/iov.h b/include/qemu/iov.h
index b6b283a..9330746 100644
--- a/include/qemu/iov.h
+++ b/include/qemu/iov.h
@@ -222,7 +222,7 @@ static inline void *qemu_iovec_buf(QEMUIOVector *qiov)
void qemu_iovec_init(QEMUIOVector *qiov, int alloc_hint);
void qemu_iovec_init_external(QEMUIOVector *qiov, struct iovec *iov, int niov);
-void qemu_iovec_init_extended(
+int qemu_iovec_init_extended(
QEMUIOVector *qiov,
void *head_buf, size_t head_len,
QEMUIOVector *mid_qiov, size_t mid_offset, size_t mid_len,
diff --git a/util/iov.c b/util/iov.c
index f3a9e92..58c7b3e 100644
--- a/util/iov.c
+++ b/util/iov.c
@@ -415,7 +415,7 @@ int qemu_iovec_subvec_niov(QEMUIOVector *qiov, size_t offset, size_t len)
* Compile new iovec, combining @head_buf buffer, sub-qiov of @mid_qiov,
* and @tail_buf buffer into new qiov.
*/
-void qemu_iovec_init_extended(
+int qemu_iovec_init_extended(
QEMUIOVector *qiov,
void *head_buf, size_t head_len,
QEMUIOVector *mid_qiov, size_t mid_offset, size_t mid_len,
@@ -425,12 +425,24 @@ void qemu_iovec_init_extended(
int total_niov, mid_niov = 0;
struct iovec *p, *mid_iov = NULL;
+ assert(mid_qiov->niov <= IOV_MAX);
+
+ if (SIZE_MAX - head_len < mid_len ||
+ SIZE_MAX - head_len - mid_len < tail_len)
+ {
+ return -EINVAL;
+ }
+
if (mid_len) {
mid_iov = qiov_slice(mid_qiov, mid_offset, mid_len,
&mid_head, &mid_tail, &mid_niov);
}
total_niov = !!head_len + mid_niov + !!tail_len;
+ if (total_niov > IOV_MAX) {
+ return -EINVAL;
+ }
+
if (total_niov == 1) {
qemu_iovec_init_buf(qiov, NULL, 0);
p = &qiov->local_iov;
@@ -459,6 +471,8 @@ void qemu_iovec_init_extended(
p->iov_base = tail_buf;
p->iov_len = tail_len;
}
+
+ return 0;
}
/*
@@ -492,7 +506,14 @@ bool qemu_iovec_is_zero(QEMUIOVector *qiov, size_t offset, size_t bytes)
void qemu_iovec_init_slice(QEMUIOVector *qiov, QEMUIOVector *source,
size_t offset, size_t len)
{
- qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL, 0);
+ int ret;
+
+ assert(source->size >= len);
+ assert(source->size - len >= offset);
+
+ /* We shrink the request, so we can't overflow neither size_t nor MAX_IOV */
+ ret = qemu_iovec_init_extended(qiov, NULL, 0, source, offset, len, NULL, 0);
+ assert(ret == 0);
}
void qemu_iovec_destroy(QEMUIOVector *qiov)