Adding qemu-trivial in cc. On 2/9/21 9:44 AM, Philippe Mathieu-Daudé wrote: > On 2/9/21 4:23 PM, Eric Blake wrote: >> On Fedora 33, gcc 10.2.1 notes that scsi_cdb_length(buf) can set >> len==-1, which in turn overflows g_malloc(): >> >> [5/5] Linking target qemu-system-x86_64 >> In function ‘scsi_disk_new_request_dump’, >> inlined from ‘scsi_new_request’ at ../hw/scsi/scsi-disk.c:2608:9: >> ../hw/scsi/scsi-disk.c:2582:19: warning: argument 1 value >> ‘18446744073709551612’ exceeds maximum object size 9223372036854775807 >> [-Walloc-size-larger-than=] >> 2582 | line_buffer = g_malloc(len * 5 + 1); >> | ^ >> >> Silence it with a decent assertion, since we only convert a buffer to >> bytes when we have a valid cdb length. >> >> Signed-off-by: Eric Blake <ebl...@redhat.com> >> --- >> hw/scsi/scsi-disk.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c >> index ed52fcd49ff0..b3311a5657b7 100644 >> --- a/hw/scsi/scsi-disk.c >> +++ b/hw/scsi/scsi-disk.c >> @@ -2579,6 +2579,7 @@ static void scsi_disk_new_request_dump(uint32_t lun, >> uint32_t tag, uint8_t *buf) >> int len = scsi_cdb_length(buf); >> char *line_buffer, *p; >> >> + assert(len > 0 && len <= 16); >> line_buffer = g_malloc(len * 5 + 1); >> >> for (i = 0, p = line_buffer; i < len; i++) { >> > > Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> >
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org