From patchwork Fri Sep  6 11:12:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 825940
Delivered-To: patch@linaro.org
Received: by 2002:adf:a345:0:b0:367:895a:4699 with SMTP id d5csp747050wrb;
 Fri, 6 Sep 2024 04:22:03 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCX03HH7m4fjtB2OQ/HeWhR8hMiYW4wEnG6NJgUht8UlKE+IEhzidowEHH7IYI724h8yH6tIUg==@linaro.org
X-Google-Smtp-Source: AGHT+IHu9V1LvpNhgDnKLGfC+5RLLB784Tx7Hm8ysKyOPhXoIMa79CQqRvgpPACUjDqEPTGaQYGw
X-Received: by 2002:a05:622a:44d:b0:454:f3d6:39c with SMTP id
 d75a77b69052e-4580c66bcb2mr22381971cf.7.1725621723725;
 Fri, 06 Sep 2024 04:22:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1725621723; cv=none;
 d=google.com; s=arc-20240605;
 b=Nhv/7HpNer/4aZJNaifWVQPRcNJBsxKUau6rLQfK8/93SgI9VOFs9Qm6m4toIdqfl5
 HcKtq4z36ewuhRLVPbrpmQWxQlk7g1lHYYRB+YnO8GkzNDX9DUljkQqtx54YC6POg3ox
 SCBigOy3oy4wmeQdPG0xVXQ1B1Mgww+HVitdDINNvmC+CWeTvVcOVRrfCtHIIuYwDi67
 IJHGcJ6MCT5lGiG2FFmTnmfVGYahuTQ2bAbqBXCOznAtPKJ5xYv3BEJ+x3LZ41ioFG3X
 U8VqBG3bEuucmQTIM9O/nKhHbhyeUKkoUdiy10hX2aAA6qQkrvi8e8VhZv61ckfDBC59
 p/sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=HFNFS5E5vdT1ugmx69GOxmDydAY7UrIB8MP+W/uaw6A=;
 fh=OJ0ls6GFiMU4hHpJ98tlecWoPYidhilmxQvB4+9yVtk=;
 b=Mbr5IOc6frUSegVk04khZPS4QFIfrNBMCgWXB877TucHkRZDii0+44+dXsAu4pYhHW
 Ti30uFuzWnnstM2p9mUUGBRqW1nALt0S4rltiIFfHhFh37Hq/llzxuC5xt/UnRD26vZY
 YtSPrSBviBTDj4v/AZHabbd09Ho6UuOdmgslIP0MdCK9mr55P8zK4+JNSXEdzko4WR4B
 FvYpuen32LzhiYZEapb2rHyenusgPKgrjZfh+3SPNzBpxw9HROrluZ2czxkmUfnal8uN
 kQDGz//8CTHbUsBbDiJznK+Hzr29PXW3clQ5F1F+oSI4w1i6uptt46XA4L6HizYJRxyn
 YOAw==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 d75a77b69052e-45809c85d1csi28766021cf.347.2024.09.06.04.22.03
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Fri, 06 Sep 2024 04:22:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1smWvO-0005vH-Vi; Fri, 06 Sep 2024 07:14:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1smWvM-0005ff-BT; Fri, 06 Sep 2024 07:14:44 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1smWvJ-0007ku-Ug; Fri, 06 Sep 2024 07:14:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AD7C38C483;
 Fri,  6 Sep 2024 14:12:07 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id B92A11336ED;
 Fri,  6 Sep 2024 14:13:25 +0300 (MSK)
Received: (nullmailer pid 353601 invoked by uid 1000);
 Fri, 06 Sep 2024 11:13:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Stefan Hajnoczi <stefanha@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-9.0.3 19/69] util/async.c: Forbid negative min/max in
 aio_context_set_thread_pool_params()
Date: Fri,  6 Sep 2024 14:12:28 +0300
Message-Id: <20240906111324.353230-19-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-9.0.3-20240906141259@cover.tls.msk.ru>
References: <qemu-stable-9.0.3-20240906141259@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Peter Maydell <peter.maydell@linaro.org>

aio_context_set_thread_pool_params() takes two int64_t arguments to
set the minimum and maximum number of threads in the pool.  We do
some bounds checking on these, but we don't catch the case where the
inputs are negative.  This means that later in the function when we
assign these inputs to the AioContext::thread_pool_min and
::thread_pool_max fields, which are of type int, the values might
overflow the smaller type.

A negative number of threads is meaningless, so make
aio_context_set_thread_pool_params() return an error if either min or
max are negative.

Resolves: Coverity CID 1547605
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723150927.1396456-1-peter.maydell@linaro.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 851495571d14fe2226c52b9d423f88a4f5460836)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/async.c b/util/async.c
index 0467890052..3e3e4fc712 100644
--- a/util/async.c
+++ b/util/async.c
@@ -746,7 +746,7 @@ void aio_context_set_thread_pool_params(AioContext *ctx, int64_t min,
                                         int64_t max, Error **errp)
 {
 
-    if (min > max || !max || min > INT_MAX || max > INT_MAX) {
+    if (min > max || max <= 0 || min < 0 || min > INT_MAX || max > INT_MAX) {
         error_setg(errp, "bad thread-pool-min/thread-pool-max values");
         return;
     }