From: Egor Makrushin <emakrushin@astralinux.ru>
Date: Wed, 20 Dec 2023 12:38:08 +0000 (+0300)
Subject: conf: fix integer overflow in virDomainControllerDefParseXML
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=c3a8d049803f30bde56090124b025a5a99fcdeb4;p=libvirt.git

conf: fix integer overflow in virDomainControllerDefParseXML

Multiplication results in integer overflow.
Thus, replace it with ULLONG_MAX and change
def->opts.pciopts.pcihole64size type to ULL.
Update variable usage according to new type.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Egor Makrushin <emakrushin@astralinux.ru>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 58a985fc5d..82672b30a0 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8523,7 +8523,7 @@ virDomainControllerDefParseXML(virDomainXMLOption *xmlopt,
             unsigned long long bytes;
             if ((rc = virParseScaledValue("./pcihole64", NULL,
                                           ctxt, &bytes, 1024,
-                                          1024ULL * ULONG_MAX, false)) < 0)
+                                          ULLONG_MAX, false)) < 0)
                 return NULL;
 
             if (rc == 1)
@@ -23123,8 +23123,8 @@ virDomainControllerDefFormat(virBuffer *buf,
 
     if (def->type == VIR_DOMAIN_CONTROLLER_TYPE_PCI &&
         def->opts.pciopts.pcihole64) {
-        virBufferAsprintf(&childBuf, "<pcihole64 unit='KiB'>%lu</"
-                          "pcihole64>\n", def->opts.pciopts.pcihole64size);
+        virBufferAsprintf(&childBuf, "<pcihole64 unit='KiB'>%llu</pcihole64>\n",
+                          def->opts.pciopts.pcihole64size);
     }
 
     virXMLFormatElement(buf, "controller", &attrBuf, &childBuf);
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0c5e2636e1..14901b37ba 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -707,7 +707,7 @@ struct _virDomainVirtioSerialOpts {
 
 struct _virDomainPCIControllerOpts {
     bool pcihole64;
-    unsigned long pcihole64size;
+    unsigned long long pcihole64size;
 
     /* the exact controller name is in the "model" subelement, e.g.:
      * <controller type='pci' model='pcie-root-port'>
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 54fb8220e8..b45a5e4f80 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -6211,7 +6211,7 @@ qemuBuildGlobalControllerCommandLine(virCommand *cmd,
             }
 
             virCommandAddArg(cmd, "-global");
-            virCommandAddArgFormat(cmd, "%s.pci-hole64-size=%luK", hoststr,
+            virCommandAddArgFormat(cmd, "%s.pci-hole64-size=%lluK", hoststr,
                                    cont->opts.pciopts.pcihole64size);
         }
     }