[Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature

[Michael Roth]

From: Luiz Capitulino <address@hidden>

When a QMP client changes the polling interval time by setting
the guest-stats-polling-interval property, the interval value
is stored and manipulated as an int64_t variable.

However, the balloon_stats_change_timer() function, which is
used to set the actual timer with the interval value, takes
an int instead, causing an overflow for big interval values.

This commit fix this bug by changing balloon_stats_change_timer()
to take an int64_t and also it limits the polling interval value
to UINT_MAX to avoid other kinds of overflow.

Signed-off-by: Luiz Capitulino <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 1f9296b51a26650916a2c4191268bb64057bdc5f)
Signed-off-by: Michael Roth <address@hidden>
---
 hw/virtio/virtio-balloon.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 2c30b3d..b5cf7ca 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -87,7 +87,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon *s)
     }
 }
 
-static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
+static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
 {
     timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + secs * 
1000);
 }
@@ -170,6 +170,11 @@ static void balloon_stats_set_poll_interval(Object *obj, 
struct Visitor *v,
         return;
     }
 
+    if (value > UINT_MAX) {
+        error_setg(errp, "timer value is too big");
+        return;
+    }
+
     if (value == s->stats_poll_interval) {
         return;
     }
-- 
1.9.1