From patchwork Fri Sep 6 05:15:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 825897 Delivered-To: patch@linaro.org Received: by 2002:adf:a345:0:b0:367:895a:4699 with SMTP id d5csp637812wrb; Thu, 5 Sep 2024 22:19:45 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVCi7fWLwzPgwaABlpBxidc/boKXlL6+k0+x2ozegJeeujtFUBu1Iof3/WyFSh3QwYIprp4tw==@linaro.org X-Google-Smtp-Source: AGHT+IG9vx0c+eYOm01QXvuj2U3akxANxrQlz9b02ugw9vIZRzWBiA+MQtGsv7QABWjRLECcgn+r X-Received: by 2002:a05:620a:170d:b0:79d:7cfb:884e with SMTP id af79cd13be357-7a9973284efmr155447985a.4.1725599985326; Thu, 05 Sep 2024 22:19:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1725599985; cv=none; d=google.com; s=arc-20240605; b=IIpkQ8Ury8tIj/ARQW6HMPvoBbAuqL8dqpEd1bPnzJkhhJUws3W5vrs1+fRO0EGaRf CboKPQ00+0pyqelK8ygPHrvWfsk6qQX69yjJ10AY0cJmbdM5nUKSSVwWbDamiX25wfLO ZxMsDTQmX7WP3t0VaIHpGNP42ov02JPnDRuDneK4By0G0bWNOpsrxUmzDj8ZaxV+HcA7 3kXQ4+irj8PTQlHjfeZWGMIskPLpE2PKIB5Sf6ihcdZGt6FshoALkPcvjLLZKXVPFvAw LVWZIG3l8pDjfAOYyuIsDsP5C9U/p+hyrSirQdfqJlIp/IVZXU4+CmlHlqfxyh8YaOf/ BDEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=6vdZGZnr4aaZ5SGU4AcjaXQ9baNkMXpPH2FPAI1Joyo=; fh=OJ0ls6GFiMU4hHpJ98tlecWoPYidhilmxQvB4+9yVtk=; b=Z7wMSkx97SOKZM9/xdFM8kGFi9cuyc69aBjL7AzUSNMZBb7favpz5CpUdSIle7hJBW NInTAkBuX9FOv5IKu1yqKXvNm2vPtHuIrTzmciO3GInYxhrPdaoocn/prbB8eyMFO9ET gFVbx9cu2okBuXG8nOImIO7viDjrpX6JioX0FVTuS61k71dTXefrTVNX5gHlwhlSIL/E X40Kna+IHHCCZUCz3AYCR0LSwKrqiQb5fhYInrju3DgOchbsEAaTaDA2dfCuRIQectVf XFiOE48pstKHarOCzMJhUP9pTG7Rng9MpnhKEzd/RuH2JoeVVzYLTgY6Wls9iPVG1CH2 C0XA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id af79cd13be357-7a98ef1e036si366365585a.104.2024.09.05.22.19.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 05 Sep 2024 22:19:45 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1smRLm-00057a-8X; Fri, 06 Sep 2024 01:17:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1smRLL-000407-Tn; Fri, 06 Sep 2024 01:17:17 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1smRLG-0007sb-ID; Fri, 06 Sep 2024 01:17:07 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C058E8C11E; Fri, 6 Sep 2024 08:15:16 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 6FACC133364; Fri, 6 Sep 2024 08:16:34 +0300 (MSK) Received: (nullmailer pid 10414 invoked by uid 1000); Fri, 06 Sep 2024 05:16:33 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Stefan Hajnoczi , Michael Tokarev Subject: [Stable-7.2.14 10/40] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params() Date: Fri, 6 Sep 2024 08:15:58 +0300 Message-Id: <20240906051633.10288-10-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Peter Maydell aio_context_set_thread_pool_params() takes two int64_t arguments to set the minimum and maximum number of threads in the pool. We do some bounds checking on these, but we don't catch the case where the inputs are negative. This means that later in the function when we assign these inputs to the AioContext::thread_pool_min and ::thread_pool_max fields, which are of type int, the values might overflow the smaller type. A negative number of threads is meaningless, so make aio_context_set_thread_pool_params() return an error if either min or max are negative. Resolves: Coverity CID 1547605 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20240723150927.1396456-1-peter.maydell@linaro.org Signed-off-by: Stefan Hajnoczi (cherry picked from commit 851495571d14fe2226c52b9d423f88a4f5460836) Signed-off-by: Michael Tokarev diff --git a/util/async.c b/util/async.c index a1f07fc5a7..0cc3037e0c 100644 --- a/util/async.c +++ b/util/async.c @@ -744,7 +744,7 @@ void aio_context_set_thread_pool_params(AioContext *ctx, int64_t min, int64_t max, Error **errp) { - if (min > max || !max || min > INT_MAX || max > INT_MAX) { + if (min > max || max <= 0 || min < 0 || min > INT_MAX || max > INT_MAX) { error_setg(errp, "bad thread-pool-min/thread-pool-max values"); return; }