[Devel] dm: ploop: arithemtic overflow in ploop
Denis V. Lunev
den at virtuozzo.com
Fri May 10 16:09:33 MSK 2024
On 5/10/24 14:54, Alexey Kuznetsov wrote:
> Images of size > 2TB are corrupted!
>
> https://pmc.acronis.work/browse/TTASK-68430
>
> Signed-off-by: Alexey Kuznetsov <kuznet at acronis.com>
> ---
> drivers/md/dm-ploop.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm-ploop.h b/drivers/md/dm-ploop.h
> index db36687..e693d0e 100644
> --- a/drivers/md/dm-ploop.h
> +++ b/drivers/md/dm-ploop.h
> @@ -317,7 +317,7 @@ static inline void ploop_remap_to_cluster(struct ploop *ploop,
> struct pio *pio, u32 clu)
> {
> pio->bi_iter.bi_sector &= ((1 << ploop->cluster_log) - 1);
> - pio->bi_iter.bi_sector |= (clu << ploop->cluster_log);
> + pio->bi_iter.bi_sector |= ((u64)clu << ploop->cluster_log);
> }
>
> static inline bool ploop_whole_cluster(struct ploop *ploop, struct pio *pio)
this is really integer overflow. Validated that with the simple
test program.
iris ~ $ cat 1.c
#include <stdint.h>
#include <stdio.h>
struct s
{
uint64_t x;
};
int main()
{
uint32_t clu = 0x200000, log = 20;
struct s st = {
.x = 0,
};
st.x |= clu << log;
printf("%lu\n", st.x);
st.x |= (uint64_t)clu << log;
printf("%lu\n", st.x);
return 0;
}
iris ~ $ ./a.out
0
2199023255552
iris ~ $
The most important question is that do we have other similar
places or not?
Den
More information about the Devel
mailing list