[ Cc: qemu-block ]
Am 06.11.2024 um 09:04 hat Dmitry Frolov geschrieben:
> The sum "cluster_index + count" may overflow uint32_t.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Dmitry Frolov <fro...@swemel.ru>
Thanks, applied to the block branch.
While trying to check if this can be triggered in practice, I found this
line in parallels_fill_used_bitmap():
s->used_bmap_size = DIV_ROUND_UP(payload_bytes, s->cluster_size);
s->used_bmap_size is unsigned long, payload_bytes is the int64_t result
of bdrv_getlength() for the image file, which could certainly be made
more than 4 GB * cluster_size. I think we need an overflow check there,
too.
When allocate_clusters() calculates new_usedsize, it doesn't seem to
consider the overflow case either.
Denis, can you take a look?
Kevin
