virtio-balloon: fix buffer overflow in memory stats feature
diff mbox

Message ID 20140915140934.17c1bfea@redhat.com
State New
Headers show

Commit Message

Luiz Capitulino Sept. 15, 2014, 6:09 p.m. UTC
When a QMP client changes the polling interval time by setting
the guest-stats-polling-interval property, the interval value
is stored and manipuled as an int64_t variable.

However, the balloon_stats_change_timer() function, which is
used to set the actual timer with the interval value, takes
an int instead, causing an overflow for big interval values.

Fix it.

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 hw/virtio/virtio-balloon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Eric Blake Sept. 15, 2014, 7:16 p.m. UTC | #1
On 09/15/2014 12:09 PM, Luiz Capitulino wrote:
> When a QMP client changes the polling interval time by setting
> the guest-stats-polling-interval property, the interval value
> is stored and manipuled as an int64_t variable.
> 

s/manipuled/manipulated/

> However, the balloon_stats_change_timer() function, which is
> used to set the actual timer with the interval value, takes
> an int instead, causing an overflow for big interval values.
> 
> Fix it.
> 
> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> ---
>  hw/virtio/virtio-balloon.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> index 2c30b3d..9629264 100644
> --- a/hw/virtio/virtio-balloon.c
> +++ b/hw/virtio/virtio-balloon.c
> @@ -87,7 +87,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon *s)
>      }
>  }
>  
> -static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
> +static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
>  {
>      timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + secs * 1000);

secs * 1000 can still overflow for (really large) values, do we care
about that?
Luiz Capitulino Sept. 15, 2014, 7:33 p.m. UTC | #2
On Mon, 15 Sep 2014 13:16:01 -0600
Eric Blake <eblake@redhat.com> wrote:

> On 09/15/2014 12:09 PM, Luiz Capitulino wrote:
> > When a QMP client changes the polling interval time by setting
> > the guest-stats-polling-interval property, the interval value
> > is stored and manipuled as an int64_t variable.
> > 
> 
> s/manipuled/manipulated/
> 
> > However, the balloon_stats_change_timer() function, which is
> > used to set the actual timer with the interval value, takes
> > an int instead, causing an overflow for big interval values.
> > 
> > Fix it.
> > 
> > Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> > ---
> >  hw/virtio/virtio-balloon.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> > index 2c30b3d..9629264 100644
> > --- a/hw/virtio/virtio-balloon.c
> > +++ b/hw/virtio/virtio-balloon.c
> > @@ -87,7 +87,7 @@ static void balloon_stats_destroy_timer(VirtIOBalloon *s)
> >      }
> >  }
> >  
> > -static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
> > +static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
> >  {
> >      timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + secs * 1000);
> 
> secs * 1000 can still overflow for (really large) values, do we care
> about that?

Hmm, good point. I think I could keep the s/int/int64_t change but limit secs
to UINT_MAX for simplicity. I guess we don't expect anyone to set this to
billions of seconds in the future :)
Markus Armbruster Sept. 16, 2014, 7:25 a.m. UTC | #3
Luiz Capitulino <lcapitulino@redhat.com> writes:

> When a QMP client changes the polling interval time by setting
> the guest-stats-polling-interval property, the interval value
> is stored and manipuled as an int64_t variable.
>
> However, the balloon_stats_change_timer() function, which is
> used to set the actual timer with the interval value, takes
> an int instead, causing an overflow for big interval values.
>
> Fix it.
>
> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

Subject claims buffer overflow, but description suggests integer
overflow.  Which one is it?

[...]
Luiz Capitulino Sept. 16, 2014, 12:34 p.m. UTC | #4
On Tue, 16 Sep 2014 09:25:02 +0200
Markus Armbruster <armbru@redhat.com> wrote:

> Luiz Capitulino <lcapitulino@redhat.com> writes:
> 
> > When a QMP client changes the polling interval time by setting
> > the guest-stats-polling-interval property, the interval value
> > is stored and manipuled as an int64_t variable.
> >
> > However, the balloon_stats_change_timer() function, which is
> > used to set the actual timer with the interval value, takes
> > an int instead, causing an overflow for big interval values.
> >
> > Fix it.
> >
> > Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> 
> Subject claims buffer overflow, but description suggests integer
> overflow.  Which one is it?

Integer.
Markus Armbruster Sept. 16, 2014, 1:43 p.m. UTC | #5
Luiz Capitulino <lcapitulino@redhat.com> writes:

> On Tue, 16 Sep 2014 09:25:02 +0200
> Markus Armbruster <armbru@redhat.com> wrote:
>
>> Luiz Capitulino <lcapitulino@redhat.com> writes:
>> 
>> > When a QMP client changes the polling interval time by setting
>> > the guest-stats-polling-interval property, the interval value
>> > is stored and manipuled as an int64_t variable.
>> >
>> > However, the balloon_stats_change_timer() function, which is
>> > used to set the actual timer with the interval value, takes
>> > an int instead, causing an overflow for big interval values.
>> >
>> > Fix it.
>> >
>> > Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
>> 
>> Subject claims buffer overflow, but description suggests integer
>> overflow.  Which one is it?
>
> Integer.

Thanks.  If you fix the subject, you can add my R-by.
Luiz Capitulino Sept. 16, 2014, 1:44 p.m. UTC | #6
On Tue, 16 Sep 2014 15:43:14 +0200
Markus Armbruster <armbru@redhat.com> wrote:

> Luiz Capitulino <lcapitulino@redhat.com> writes:
> 
> > On Tue, 16 Sep 2014 09:25:02 +0200
> > Markus Armbruster <armbru@redhat.com> wrote:
> >
> >> Luiz Capitulino <lcapitulino@redhat.com> writes:
> >> 
> >> > When a QMP client changes the polling interval time by setting
> >> > the guest-stats-polling-interval property, the interval value
> >> > is stored and manipuled as an int64_t variable.
> >> >
> >> > However, the balloon_stats_change_timer() function, which is
> >> > used to set the actual timer with the interval value, takes
> >> > an int instead, causing an overflow for big interval values.
> >> >
> >> > Fix it.
> >> >
> >> > Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> >> 
> >> Subject claims buffer overflow, but description suggests integer
> >> overflow.  Which one is it?
> >
> > Integer.
> 
> Thanks.  If you fix the subject, you can add my R-by.

I've fixed the subject, but I've also added a new hunk to the patch.

Patch
diff mbox

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 2c30b3d..9629264 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -87,7 +87,7 @@  static void balloon_stats_destroy_timer(VirtIOBalloon *s)
     }
 }
 
-static void balloon_stats_change_timer(VirtIOBalloon *s, int secs)
+static void balloon_stats_change_timer(VirtIOBalloon *s, int64_t secs)
 {
     timer_mod(s->stats_timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + secs * 1000);
 }