[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memor
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature |
Date: |
Thu, 8 Jan 2015 11:33:23 -0600 |
From: Luiz Capitulino <address@hidden>
When a QMP client changes the polling interval time by setting
the guest-stats-polling-interval property, the interval value
is stored and manipulated as an int64_t variable.
However, the balloon_stats_change_timer() function, which is
used to set the actual timer with the interval value, takes
an int instead, causing an overflow for big interval values.
This commit fix this bug by changing balloon_stats_change_timer()
to take an int64_t and also it limits the polling interval value
to UINT_MAX to avoid other kinds of overflow.
Signed-off-by: Luiz Capitulino <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 1f9296b51a26650916a2c4191268bb64057bdc5f)
Signed-off-by: Michael Roth <address@hidden>
---
hw/virtio/virtio-balloon.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 2c30b3d..b5cf7ca 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -87,7 +87,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon *s)
}
}
-static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
+static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
{
timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + secs *
1000);
}
@@ -170,6 +170,11 @@ static void balloon_stats_set_poll_interval(Object *obj,
struct Visitor *v,
return;
}
+ if (value > UINT_MAX) {
+ error_setg(errp, "timer value is too big");
+ return;
+ }
+
if (value == s->stats_poll_interval) {
return;
}
--
1.9.1
- [Qemu-devel] [PATCH 50/88] vnc: sanitize bits_per_pixel from the client, (continued)
- [Qemu-devel] [PATCH 50/88] vnc: sanitize bits_per_pixel from the client, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 40/88] virtio-9p: fix virtio-9p child refcount in transports, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 51/88] virtio-scsi: sense in virtio_scsi_command_complete, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 52/88] tcg/mips: fix store softmmu slow path, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 47/88] qcow2: Do not overflow when writing an L1 sector, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 49/88] Make qemu_shutdown_requested signal-safe, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 54/88] hw/xtensa/xtfpga: treat uImage load address as virtual, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 53/88] hw/core/loader: implement address translation in uimage loader, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 57/88] esp-pci: fixup deadlock with linux, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature,
Michael Roth <=
- [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*), Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for entry, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 23/88] ivshmem: Fix potential OOB r/w access, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 55/88] snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 61/88] libcacard: fix resource leak, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 59/88] kvm: Fix memory slot page alignment logic, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 62/88] l2tpv3: fix possible double free, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 60/88] virtio-scsi: work around bug in old BIOSes, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 64/88] hw/ide/core.c: Prevent SIGSEGV during migration, Michael Roth, 2015/01/08