From: Lukas Stockner via SeaBIOS <seabios@seabios.org>
Date: Tue, 6 Jun 2023 13:29:52 +0000 (+0200)
Subject: virtio-blk: Fix integer overflow for large max IO sizes
X-Git-Tag: rel-1.16.3~12
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=cd933454b5e3e1f86379a44b5ae1852c2a01a485;p=seabios.git

virtio-blk: Fix integer overflow for large max IO sizes

When the maximum IO size supported by the virtio-blk backend is large
enough (>= 32MiB for 512B sectors), the computed blk_num_max will
overflow. In particular, if it's a multiple of 32MiB, blk_num_max
will end up as zero, causing IO requests to fail.

This is triggered by e.g. the SPDK virtio-blk vhost-user backend.

To fix it, just limit blk_num_max to 65535 before converting to u16.

Signed-off-by: Lukas Stockner <lstockner@genesiscloud.com>
---

diff --git a/src/hw/virtio-blk.c b/src/hw/virtio-blk.c
index e087fe4..137a2c3 100644
--- a/src/hw/virtio-blk.c
+++ b/src/hw/virtio-blk.c
@@ -92,7 +92,7 @@ virtio_blk_op(struct disk_op_s *op, int write)
     u16 blk_num_max;
 
     if (vdrive->drive.blksize != 0 && max_io_size != 0)
-        blk_num_max = (u16)(max_io_size / vdrive->drive.blksize);
+        blk_num_max = (u16) min(max_io_size / vdrive->drive.blksize, 0xffff);
     else
         /* default blk_num_max if hardware doesnot advise a proper value */
         blk_num_max = 64;