+-- On Mon, 18 Jan 2021, Paolo Bonzini wrote --+
| s->nb_sectors is in units of 512B, so the limit would be 4TB. The purpose
| is to limit the lba and nb_sectors arguments (which are in 2048B units) of
| ide_atapi_cmd_read_{dma,pio} to INT_MAX.
* If it's for IDE_CD type, does the patch below look okay?
===
diff --git a/hw/ide/core.c b/hw/ide/core.c
index b49e4cfbc6..034c84b350 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1169,7 +1169,7 @@ static void ide_cd_change_cb(void *opaque, bool load,
Error **errp)
s->tray_open = !load;
blk_get_geometry(s->blk, &nb_sectors);
- s->nb_sectors = nb_sectors;
+ s->nb_sectors = nb_sectors & (uint64_t)INT_MAX << 2;
/*
* First indicate to the guest that a CD has been removed. That's
@@ -2530,6 +2530,7 @@ int ide_init_drive(IDEState *s, BlockBackend *blk,
IDEDriveKind kind,
s->smart_errors = 0;
s->smart_selftest_count = 0;
if (kind == IDE_CD) {
+ s->nb_sectors &= (uint64_t)INT_MAX << 2;
blk_set_dev_ops(blk, &ide_cd_block_ops, s);
blk_set_guest_block_size(blk, 2048);
===
* Isn't 4TB limit more for IDE_CD type? Maybe UINT32_MAX?
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
