Bug 2040609

Summary: the libnbd OCaml bindings map C's "uint32_t" type to OCaml's "int32" type
Product: Red Hat Enterprise Linux 9 Reporter: Laszlo Ersek <lersek>
Component: libnbdAssignee: Laszlo Ersek <lersek>
Status: CLOSED DUPLICATE QA Contact: Vera <vwu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: lersek, mxie, rjones, tyan, virt-maint, vwu, xiaodwan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-14 10:15:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2027598    

Description Laszlo Ersek 2022-01-14 08:46:07 UTC 
* Description of problem:
The 



* Version-Release number of selected component (if applicable):
libnbd-1.10.2-1.el9

* How reproducible:
Dependent on the guest disk image being copied with virt-v2v, if there is a segment >= 2GiB in size with identical block allocation status, NBD.block_status will return an entry with negative "length" in the entries array.

* Steps to Reproduce:
Refer to <https://bugzilla.redhat.com/show_bug.cgi?id=2027598#c61> and onwards.

* Actual results:
Refer to <https://bugzilla.redhat.com/show_bug.cgi?id=2027598#c40> and onwards -- the "Utils.get_disk_allocated" function in virt-v2v, which is supposed to make progress in every interation of its loop, will go backwards on occasion, and decay into an infinite loop.

* Expected results:
The OCaml bindings should faithfully represent uint32_t values >= 0x8000_0000. More closely, "Utils.get_disk_allocated" in virt-v2v should always terminate.

* Additional info:
(1) This is arguably a (mild) security bug, but our analysis in <https://bugzilla.redhat.com/show_bug.cgi?id=2027598#c61> is already public.

(2) The same issue exists for C's uint64_t <-> OCaml's int64 -- this is in fact a bug (or limitation) in OCaml's type system. We can't do anything about that, at the moment, as there is no OCaml type we could widen uint64_t to. (At least we can widen C's uint32_t to OCaml's int64.)
Comment 1 Richard W.M. Jones 2022-01-14 10:15:38 UTC 

*** This bug has been marked as a duplicate of bug 2040610 ***