1
Fix CVE-2008-0928 - insufficient block device address range checking
3
Qemu 0.9.1 and earlier does not perform range checks for block device
4
read or write requests, which allows guest host users with root
5
privileges to access arbitrary memory and escape the virtual machine.
7
diff -Nurd qemu-0.9.1.orig/block.c qemu-0.9.1/block.c
8
--- qemu-0.9.1.orig/block.c 2008-03-11 18:22:42.000000000 +0100
9
+++ qemu-0.9.1/block.c 2008-03-11 18:24:56.000000000 +0100
14
+static int bdrv_rd_badreq_sectors(BlockDriverState *bs,
15
+ int64_t sector_num, int nb_sectors)
20
+ nb_sectors > bs->total_sectors ||
21
+ sector_num > bs->total_sectors - nb_sectors;
24
+static int bdrv_rd_badreq_bytes(BlockDriverState *bs,
25
+ int64_t offset, int count)
27
+ int64_t size = bs->total_sectors << SECTOR_BITS;
32
+ offset > size - count;
35
+static int bdrv_wr_badreq_sectors(BlockDriverState *bs,
36
+ int64_t sector_num, int nb_sectors)
38
+ if (sector_num < 0 ||
42
+ if (sector_num > bs->total_sectors - nb_sectors) {
44
+ bs->total_sectors = sector_num + nb_sectors;
51
+static int bdrv_wr_badreq_bytes(BlockDriverState *bs,
52
+ int64_t offset, int count)
54
+ int64_t size = bs->total_sectors << SECTOR_BITS;
59
+ if (offset > size - count) {
61
+ bs->total_sectors = (offset + count + SECTOR_SIZE - 1) >> SECTOR_BITS;
69
static void bdrv_register(BlockDriver *bdrv)
77
+ if (flags & BDRV_O_AUTOGROW)
80
if (flags & BDRV_O_SNAPSHOT) {
81
BlockDriverState *bs1;
85
bs->opaque = qemu_mallocz(drv->instance_size);
86
+ bs->total_sectors = 0; /* driver will set if it does not do getlength */
87
if (bs->opaque == NULL && drv->instance_size > 0)
89
/* Note: for compatibility, we open disk image files as RDWR, and
93
/* call the change callback */
94
+ bs->total_sectors = 0;
95
bs->media_changed = 1;
97
bs->change_cb(bs->change_opaque);
102
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
104
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
105
memcpy(buf, bs->boot_sector_data, 512);
111
- if (sector_num < 0)
113
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
115
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
116
memcpy(bs->boot_sector_data, buf, 512);
120
if (!drv->bdrv_pread)
121
return bdrv_pread_em(bs, offset, buf1, count1);
122
+ if (bdrv_rd_badreq_bytes(bs, offset, count1))
124
return drv->bdrv_pread(bs, offset, buf1, count1);
129
if (!drv->bdrv_pwrite)
130
return bdrv_pwrite_em(bs, offset, buf1, count1);
131
+ if (bdrv_wr_badreq_bytes(bs, offset, count1))
133
return drv->bdrv_pwrite(bs, offset, buf1, count1);
138
if (!drv->bdrv_write_compressed)
140
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
142
return drv->bdrv_write_compressed(bs, sector_num, buf, nb_sectors);
145
@@ -1109,6 +1177,8 @@
149
+ if (bdrv_rd_badreq_sectors(bs, sector_num, nb_sectors))
152
/* XXX: we assume that nb_sectors == 0 is suppored by the async read */
153
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
154
@@ -1140,6 +1210,8 @@
158
+ if (bdrv_wr_badreq_sectors(bs, sector_num, nb_sectors))
160
if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
161
memcpy(bs->boot_sector_data, buf, 512);
163
diff -Nurd qemu-0.9.1.orig/block.h qemu-0.9.1/block.h
164
--- qemu-0.9.1.orig/block.h 2008-01-06 20:38:42.000000000 +0100
165
+++ qemu-0.9.1/block.h 2008-03-11 18:23:38.000000000 +0100
169
#define BDRV_O_DIRECT 0x0020
170
+#define BDRV_O_AUTOGROW 0x0040 /* Allow backing file to extend when writing past end of file */
173
void bdrv_info(void);
174
diff -Nurd qemu-0.9.1.orig/block_int.h qemu-0.9.1/block_int.h
175
--- qemu-0.9.1.orig/block_int.h 2008-01-06 20:38:42.000000000 +0100
176
+++ qemu-0.9.1/block_int.h 2008-03-11 18:23:38.000000000 +0100
178
int locked; /* if true, the media cannot temporarily be ejected */
179
int encrypted; /* if true, the media is encrypted */
180
int sg; /* if true, the device is a /dev/sg* */
181
+ int autogrow; /* if true, the backing store can auto-extend to allocate new extents */
182
/* event callback when inserting/removing */
183
void (*change_cb)(void *opaque);
185
diff -Nurd qemu-0.9.1.orig/block-qcow2.c qemu-0.9.1/block-qcow2.c
186
--- qemu-0.9.1.orig/block-qcow2.c 2008-01-06 20:38:42.000000000 +0100
187
+++ qemu-0.9.1/block-qcow2.c 2008-03-11 18:23:38.000000000 +0100
189
int len, i, shift, ret;
192
- ret = bdrv_file_open(&s->hd, filename, flags);
193
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
196
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
197
diff -Nurd qemu-0.9.1.orig/block-qcow.c qemu-0.9.1/block-qcow.c
198
--- qemu-0.9.1.orig/block-qcow.c 2008-01-06 20:38:41.000000000 +0100
199
+++ qemu-0.9.1/block-qcow.c 2008-03-11 18:23:38.000000000 +0100
201
int len, i, shift, ret;
204
- ret = bdrv_file_open(&s->hd, filename, flags);
205
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
208
if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
209
diff -Nurd qemu-0.9.1.orig/block-vmdk.c qemu-0.9.1/block-vmdk.c
210
--- qemu-0.9.1.orig/block-vmdk.c 2008-01-06 20:38:42.000000000 +0100
211
+++ qemu-0.9.1/block-vmdk.c 2008-03-11 18:23:38.000000000 +0100
213
flags = BDRV_O_RDONLY;
214
fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
216
- ret = bdrv_file_open(&s->hd, filename, flags);
217
+ ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_AUTOGROW);
220
if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))
221
diff -Nurd qemu-0.9.1.orig/block-vmdk.c.orig qemu-0.9.1/block-vmdk.c.orig
222
--- qemu-0.9.1.orig/block-vmdk.c.orig 1970-01-01 01:00:00.000000000 +0100
223
+++ qemu-0.9.1/block-vmdk.c.orig 2008-01-06 20:38:42.000000000 +0100
226
+ * Block driver for the VMDK format
228
+ * Copyright (c) 2004 Fabrice Bellard
229
+ * Copyright (c) 2005 Filip Navara
231
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
232
+ * of this software and associated documentation files (the "Software"), to deal
233
+ * in the Software without restriction, including without limitation the rights
234
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
235
+ * copies of the Software, and to permit persons to whom the Software is
236
+ * furnished to do so, subject to the following conditions:
238
+ * The above copyright notice and this permission notice shall be included in
239
+ * all copies or substantial portions of the Software.
241
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
242
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
243
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
244
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
245
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
246
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
250
+#include "qemu-common.h"
251
+#include "block_int.h"
253
+#define VMDK3_MAGIC (('C' << 24) | ('O' << 16) | ('W' << 8) | 'D')
254
+#define VMDK4_MAGIC (('K' << 24) | ('D' << 16) | ('M' << 8) | 'V')
259
+ uint32_t disk_sectors;
260
+ uint32_t granularity;
261
+ uint32_t l1dir_offset;
262
+ uint32_t l1dir_size;
263
+ uint32_t file_sectors;
264
+ uint32_t cylinders;
266
+ uint32_t sectors_per_track;
273
+ int64_t granularity;
274
+ int64_t desc_offset;
276
+ int32_t num_gtes_per_gte;
277
+ int64_t rgd_offset;
279
+ int64_t grain_offset;
281
+ char check_bytes[4];
282
+} __attribute__((packed)) VMDK4Header;
284
+#define L2_CACHE_SIZE 16
286
+typedef struct BDRVVmdkState {
287
+ BlockDriverState *hd;
288
+ int64_t l1_table_offset;
289
+ int64_t l1_backup_table_offset;
290
+ uint32_t *l1_table;
291
+ uint32_t *l1_backup_table;
292
+ unsigned int l1_size;
293
+ uint32_t l1_entry_sectors;
295
+ unsigned int l2_size;
296
+ uint32_t *l2_cache;
297
+ uint32_t l2_cache_offsets[L2_CACHE_SIZE];
298
+ uint32_t l2_cache_counts[L2_CACHE_SIZE];
300
+ unsigned int cluster_sectors;
301
+ uint32_t parent_cid;
305
+typedef struct VmdkMetaData {
307
+ unsigned int l1_index;
308
+ unsigned int l2_index;
309
+ unsigned int l2_offset;
313
+typedef struct ActiveBDRVState{
314
+ BlockDriverState *hd; // active image handler
315
+ uint64_t cluster_offset; // current write offset
318
+static ActiveBDRVState activeBDRV;
321
+static int vmdk_probe(const uint8_t *buf, int buf_size, const char *filename)
327
+ magic = be32_to_cpu(*(uint32_t *)buf);
328
+ if (magic == VMDK3_MAGIC ||
329
+ magic == VMDK4_MAGIC)
337
+#define SECTOR_SIZE 512
338
+#define DESC_SIZE 20*SECTOR_SIZE // 20 sectors of 512 bytes each
339
+#define HEADER_SIZE 512 // first sector of 512 bytes
341
+static uint32_t vmdk_read_cid(BlockDriverState *bs, int parent)
343
+ BDRVVmdkState *s = bs->opaque;
344
+ char desc[DESC_SIZE];
346
+ char *p_name, *cid_str;
347
+ size_t cid_str_size;
349
+ /* the descriptor offset = 0x200 */
350
+ if (bdrv_pread(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
354
+ cid_str = "parentCID";
355
+ cid_str_size = sizeof("parentCID");
358
+ cid_str_size = sizeof("CID");
361
+ if ((p_name = strstr(desc,cid_str)) != 0) {
362
+ p_name += cid_str_size;
363
+ sscanf(p_name,"%x",&cid);
369
+static int vmdk_write_cid(BlockDriverState *bs, uint32_t cid)
371
+ BDRVVmdkState *s = bs->opaque;
372
+ char desc[DESC_SIZE], tmp_desc[DESC_SIZE];
373
+ char *p_name, *tmp_str;
375
+ /* the descriptor offset = 0x200 */
376
+ if (bdrv_pread(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
379
+ tmp_str = strstr(desc,"parentCID");
380
+ strcpy(tmp_desc, tmp_str);
381
+ if ((p_name = strstr(desc,"CID")) != 0) {
382
+ p_name += sizeof("CID");
383
+ sprintf(p_name,"%x\n",cid);
384
+ strcat(desc,tmp_desc);
387
+ if (bdrv_pwrite(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
392
+static int vmdk_is_cid_valid(BlockDriverState *bs)
395
+ BDRVVmdkState *s = bs->opaque;
396
+ BlockDriverState *p_bs = s->hd->backing_hd;
400
+ cur_pcid = vmdk_read_cid(p_bs,0);
401
+ if (s->parent_cid != cur_pcid)
410
+static int vmdk_snapshot_create(const char *filename, const char *backing_file)
414
+ char *p_name, *gd_buf, *rgd_buf;
415
+ const char *real_filename, *temp_str;
416
+ VMDK4Header header;
417
+ uint32_t gde_entries, gd_size;
418
+ int64_t gd_offset, rgd_offset, capacity, gt_size;
419
+ char p_desc[DESC_SIZE], s_desc[DESC_SIZE], hdr[HEADER_SIZE];
420
+ char *desc_template =
421
+ "# Disk DescriptorFile\n"
425
+ "createType=\"monolithicSparse\"\n"
426
+ "parentFileNameHint=\"%s\"\n"
428
+ "# Extent description\n"
429
+ "RW %lu SPARSE \"%s\"\n"
431
+ "# The Disk Data Base \n"
435
+ snp_fd = open(filename, O_RDWR | O_CREAT | O_TRUNC | O_BINARY | O_LARGEFILE, 0644);
438
+ p_fd = open(backing_file, O_RDONLY | O_BINARY | O_LARGEFILE);
444
+ /* read the header */
445
+ if (lseek(p_fd, 0x0, SEEK_SET) == -1)
447
+ if (read(p_fd, hdr, HEADER_SIZE) != HEADER_SIZE)
450
+ /* write the header */
451
+ if (lseek(snp_fd, 0x0, SEEK_SET) == -1)
453
+ if (write(snp_fd, hdr, HEADER_SIZE) == -1)
456
+ memset(&header, 0, sizeof(header));
457
+ memcpy(&header,&hdr[4], sizeof(header)); // skip the VMDK4_MAGIC
459
+ ftruncate(snp_fd, header.grain_offset << 9);
460
+ /* the descriptor offset = 0x200 */
461
+ if (lseek(p_fd, 0x200, SEEK_SET) == -1)
463
+ if (read(p_fd, p_desc, DESC_SIZE) != DESC_SIZE)
466
+ if ((p_name = strstr(p_desc,"CID")) != 0) {
467
+ p_name += sizeof("CID");
468
+ sscanf(p_name,"%x",&p_cid);
471
+ real_filename = filename;
472
+ if ((temp_str = strrchr(real_filename, '\\')) != NULL)
473
+ real_filename = temp_str + 1;
474
+ if ((temp_str = strrchr(real_filename, '/')) != NULL)
475
+ real_filename = temp_str + 1;
476
+ if ((temp_str = strrchr(real_filename, ':')) != NULL)
477
+ real_filename = temp_str + 1;
479
+ sprintf(s_desc, desc_template, p_cid, p_cid, backing_file
480
+ , (uint32_t)header.capacity, real_filename);
482
+ /* write the descriptor */
483
+ if (lseek(snp_fd, 0x200, SEEK_SET) == -1)
485
+ if (write(snp_fd, s_desc, strlen(s_desc)) == -1)
488
+ gd_offset = header.gd_offset * SECTOR_SIZE; // offset of GD table
489
+ rgd_offset = header.rgd_offset * SECTOR_SIZE; // offset of RGD table
490
+ capacity = header.capacity * SECTOR_SIZE; // Extent size
492
+ * Each GDE span 32M disk, means:
493
+ * 512 GTE per GT, each GTE points to grain
495
+ gt_size = (int64_t)header.num_gtes_per_gte * header.granularity * SECTOR_SIZE;
498
+ gde_entries = (uint32_t)(capacity / gt_size); // number of gde/rgde
499
+ gd_size = gde_entries * sizeof(uint32_t);
502
+ rgd_buf = qemu_malloc(gd_size);
505
+ if (lseek(p_fd, rgd_offset, SEEK_SET) == -1)
507
+ if (read(p_fd, rgd_buf, gd_size) != gd_size)
509
+ if (lseek(snp_fd, rgd_offset, SEEK_SET) == -1)
511
+ if (write(snp_fd, rgd_buf, gd_size) == -1)
513
+ qemu_free(rgd_buf);
516
+ gd_buf = qemu_malloc(gd_size);
519
+ if (lseek(p_fd, gd_offset, SEEK_SET) == -1)
521
+ if (read(p_fd, gd_buf, gd_size) != gd_size)
523
+ if (lseek(snp_fd, gd_offset, SEEK_SET) == -1)
525
+ if (write(snp_fd, gd_buf, gd_size) == -1)
536
+ qemu_free(rgd_buf);
543
+static void vmdk_parent_close(BlockDriverState *bs)
545
+ if (bs->backing_hd)
546
+ bdrv_close(bs->backing_hd);
549
+int parent_open = 0;
550
+static int vmdk_parent_open(BlockDriverState *bs, const char * filename)
552
+ BDRVVmdkState *s = bs->opaque;
554
+ char desc[DESC_SIZE];
555
+ char parent_img_name[1024];
557
+ /* the descriptor offset = 0x200 */
558
+ if (bdrv_pread(s->hd, 0x200, desc, DESC_SIZE) != DESC_SIZE)
561
+ if ((p_name = strstr(desc,"parentFileNameHint")) != 0) {
563
+ struct stat file_buf;
565
+ p_name += sizeof("parentFileNameHint") + 1;
566
+ if ((end_name = strchr(p_name,'\"')) == 0)
569
+ strncpy(s->hd->backing_file, p_name, end_name - p_name);
570
+ if (stat(s->hd->backing_file, &file_buf) != 0) {
571
+ path_combine(parent_img_name, sizeof(parent_img_name),
572
+ filename, s->hd->backing_file);
574
+ strcpy(parent_img_name, s->hd->backing_file);
577
+ s->hd->backing_hd = bdrv_new("");
578
+ if (!s->hd->backing_hd) {
584
+ if (bdrv_open(s->hd->backing_hd, parent_img_name, BDRV_O_RDONLY) < 0)
592
+static int vmdk_open(BlockDriverState *bs, const char *filename, int flags)
594
+ BDRVVmdkState *s = bs->opaque;
596
+ int l1_size, i, ret;
599
+ // Parent must be opened as RO.
600
+ flags = BDRV_O_RDONLY;
601
+ fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
603
+ ret = bdrv_file_open(&s->hd, filename, flags);
606
+ if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))
609
+ magic = be32_to_cpu(magic);
610
+ if (magic == VMDK3_MAGIC) {
611
+ VMDK3Header header;
613
+ if (bdrv_pread(s->hd, sizeof(magic), &header, sizeof(header)) != sizeof(header))
615
+ s->cluster_sectors = le32_to_cpu(header.granularity);
616
+ s->l2_size = 1 << 9;
617
+ s->l1_size = 1 << 6;
618
+ bs->total_sectors = le32_to_cpu(header.disk_sectors);
619
+ s->l1_table_offset = le32_to_cpu(header.l1dir_offset) << 9;
620
+ s->l1_backup_table_offset = 0;
621
+ s->l1_entry_sectors = s->l2_size * s->cluster_sectors;
622
+ } else if (magic == VMDK4_MAGIC) {
623
+ VMDK4Header header;
625
+ if (bdrv_pread(s->hd, sizeof(magic), &header, sizeof(header)) != sizeof(header))
627
+ bs->total_sectors = le64_to_cpu(header.capacity);
628
+ s->cluster_sectors = le64_to_cpu(header.granularity);
629
+ s->l2_size = le32_to_cpu(header.num_gtes_per_gte);
630
+ s->l1_entry_sectors = s->l2_size * s->cluster_sectors;
631
+ if (s->l1_entry_sectors <= 0)
633
+ s->l1_size = (bs->total_sectors + s->l1_entry_sectors - 1)
634
+ / s->l1_entry_sectors;
635
+ s->l1_table_offset = le64_to_cpu(header.rgd_offset) << 9;
636
+ s->l1_backup_table_offset = le64_to_cpu(header.gd_offset) << 9;
643
+ // try to open parent images, if exist
644
+ if (vmdk_parent_open(bs, filename) != 0)
646
+ // write the CID once after the image creation
647
+ s->parent_cid = vmdk_read_cid(bs,1);
652
+ /* read the L1 table */
653
+ l1_size = s->l1_size * sizeof(uint32_t);
654
+ s->l1_table = qemu_malloc(l1_size);
657
+ if (bdrv_pread(s->hd, s->l1_table_offset, s->l1_table, l1_size) != l1_size)
659
+ for(i = 0; i < s->l1_size; i++) {
660
+ le32_to_cpus(&s->l1_table[i]);
663
+ if (s->l1_backup_table_offset) {
664
+ s->l1_backup_table = qemu_malloc(l1_size);
665
+ if (!s->l1_backup_table)
667
+ if (bdrv_pread(s->hd, s->l1_backup_table_offset, s->l1_backup_table, l1_size) != l1_size)
669
+ for(i = 0; i < s->l1_size; i++) {
670
+ le32_to_cpus(&s->l1_backup_table[i]);
674
+ s->l2_cache = qemu_malloc(s->l2_size * L2_CACHE_SIZE * sizeof(uint32_t));
679
+ qemu_free(s->l1_backup_table);
680
+ qemu_free(s->l1_table);
681
+ qemu_free(s->l2_cache);
682
+ bdrv_delete(s->hd);
686
+static uint64_t get_cluster_offset(BlockDriverState *bs, VmdkMetaData *m_data,
687
+ uint64_t offset, int allocate);
689
+static int get_whole_cluster(BlockDriverState *bs, uint64_t cluster_offset,
690
+ uint64_t offset, int allocate)
692
+ uint64_t parent_cluster_offset;
693
+ BDRVVmdkState *s = bs->opaque;
694
+ uint8_t whole_grain[s->cluster_sectors*512]; // 128 sectors * 512 bytes each = grain size 64KB
696
+ // we will be here if it's first write on non-exist grain(cluster).
697
+ // try to read from parent image, if exist
698
+ if (s->hd->backing_hd) {
699
+ BDRVVmdkState *ps = s->hd->backing_hd->opaque;
701
+ if (!vmdk_is_cid_valid(bs))
704
+ parent_cluster_offset = get_cluster_offset(s->hd->backing_hd, NULL, offset, allocate);
706
+ if (parent_cluster_offset) {
707
+ BDRVVmdkState *act_s = activeBDRV.hd->opaque;
709
+ if (bdrv_pread(ps->hd, parent_cluster_offset, whole_grain, ps->cluster_sectors*512) != ps->cluster_sectors*512)
712
+ //Write grain only into the active image
713
+ if (bdrv_pwrite(act_s->hd, activeBDRV.cluster_offset << 9, whole_grain, sizeof(whole_grain)) != sizeof(whole_grain))
720
+static int vmdk_L2update(BlockDriverState *bs, VmdkMetaData *m_data)
722
+ BDRVVmdkState *s = bs->opaque;
724
+ /* update L2 table */
725
+ if (bdrv_pwrite(s->hd, ((int64_t)m_data->l2_offset * 512) + (m_data->l2_index * sizeof(m_data->offset)),
726
+ &(m_data->offset), sizeof(m_data->offset)) != sizeof(m_data->offset))
728
+ /* update backup L2 table */
729
+ if (s->l1_backup_table_offset != 0) {
730
+ m_data->l2_offset = s->l1_backup_table[m_data->l1_index];
731
+ if (bdrv_pwrite(s->hd, ((int64_t)m_data->l2_offset * 512) + (m_data->l2_index * sizeof(m_data->offset)),
732
+ &(m_data->offset), sizeof(m_data->offset)) != sizeof(m_data->offset))
739
+static uint64_t get_cluster_offset(BlockDriverState *bs, VmdkMetaData *m_data,
740
+ uint64_t offset, int allocate)
742
+ BDRVVmdkState *s = bs->opaque;
743
+ unsigned int l1_index, l2_offset, l2_index;
744
+ int min_index, i, j;
745
+ uint32_t min_count, *l2_table, tmp = 0;
746
+ uint64_t cluster_offset;
751
+ l1_index = (offset >> 9) / s->l1_entry_sectors;
752
+ if (l1_index >= s->l1_size)
754
+ l2_offset = s->l1_table[l1_index];
757
+ for(i = 0; i < L2_CACHE_SIZE; i++) {
758
+ if (l2_offset == s->l2_cache_offsets[i]) {
759
+ /* increment the hit count */
760
+ if (++s->l2_cache_counts[i] == 0xffffffff) {
761
+ for(j = 0; j < L2_CACHE_SIZE; j++) {
762
+ s->l2_cache_counts[j] >>= 1;
765
+ l2_table = s->l2_cache + (i * s->l2_size);
769
+ /* not found: load a new entry in the least used one */
771
+ min_count = 0xffffffff;
772
+ for(i = 0; i < L2_CACHE_SIZE; i++) {
773
+ if (s->l2_cache_counts[i] < min_count) {
774
+ min_count = s->l2_cache_counts[i];
778
+ l2_table = s->l2_cache + (min_index * s->l2_size);
779
+ if (bdrv_pread(s->hd, (int64_t)l2_offset * 512, l2_table, s->l2_size * sizeof(uint32_t)) !=
780
+ s->l2_size * sizeof(uint32_t))
783
+ s->l2_cache_offsets[min_index] = l2_offset;
784
+ s->l2_cache_counts[min_index] = 1;
786
+ l2_index = ((offset >> 9) / s->cluster_sectors) % s->l2_size;
787
+ cluster_offset = le32_to_cpu(l2_table[l2_index]);
789
+ if (!cluster_offset) {
792
+ // Avoid the L2 tables update for the images that have snapshots.
793
+ if (!s->is_parent) {
794
+ cluster_offset = bdrv_getlength(s->hd);
795
+ bdrv_truncate(s->hd, cluster_offset + (s->cluster_sectors << 9));
797
+ cluster_offset >>= 9;
798
+ tmp = cpu_to_le32(cluster_offset);
799
+ l2_table[l2_index] = tmp;
800
+ // Save the active image state
801
+ activeBDRV.cluster_offset = cluster_offset;
802
+ activeBDRV.hd = bs;
804
+ /* First of all we write grain itself, to avoid race condition
805
+ * that may to corrupt the image.
806
+ * This problem may occur because of insufficient space on host disk
807
+ * or inappropriate VM shutdown.
809
+ if (get_whole_cluster(bs, cluster_offset, offset, allocate) == -1)
813
+ m_data->offset = tmp;
814
+ m_data->l1_index = l1_index;
815
+ m_data->l2_index = l2_index;
816
+ m_data->l2_offset = l2_offset;
820
+ cluster_offset <<= 9;
821
+ return cluster_offset;
824
+static int vmdk_is_allocated(BlockDriverState *bs, int64_t sector_num,
825
+ int nb_sectors, int *pnum)
827
+ BDRVVmdkState *s = bs->opaque;
828
+ int index_in_cluster, n;
829
+ uint64_t cluster_offset;
831
+ cluster_offset = get_cluster_offset(bs, NULL, sector_num << 9, 0);
832
+ index_in_cluster = sector_num % s->cluster_sectors;
833
+ n = s->cluster_sectors - index_in_cluster;
834
+ if (n > nb_sectors)
837
+ return (cluster_offset != 0);
840
+static int vmdk_read(BlockDriverState *bs, int64_t sector_num,
841
+ uint8_t *buf, int nb_sectors)
843
+ BDRVVmdkState *s = bs->opaque;
844
+ int index_in_cluster, n, ret;
845
+ uint64_t cluster_offset;
847
+ while (nb_sectors > 0) {
848
+ cluster_offset = get_cluster_offset(bs, NULL, sector_num << 9, 0);
849
+ index_in_cluster = sector_num % s->cluster_sectors;
850
+ n = s->cluster_sectors - index_in_cluster;
851
+ if (n > nb_sectors)
853
+ if (!cluster_offset) {
854
+ // try to read from parent image, if exist
855
+ if (s->hd->backing_hd) {
856
+ if (!vmdk_is_cid_valid(bs))
858
+ ret = bdrv_read(s->hd->backing_hd, sector_num, buf, n);
862
+ memset(buf, 0, 512 * n);
865
+ if(bdrv_pread(s->hd, cluster_offset + index_in_cluster * 512, buf, n * 512) != n * 512)
875
+static int vmdk_write(BlockDriverState *bs, int64_t sector_num,
876
+ const uint8_t *buf, int nb_sectors)
878
+ BDRVVmdkState *s = bs->opaque;
879
+ VmdkMetaData m_data;
880
+ int index_in_cluster, n;
881
+ uint64_t cluster_offset;
882
+ static int cid_update = 0;
884
+ if (sector_num > bs->total_sectors) {
886
+ "(VMDK) Wrong offset: sector_num=0x%" PRIx64
887
+ " total_sectors=0x%" PRIx64 "\n",
888
+ sector_num, bs->total_sectors);
892
+ while (nb_sectors > 0) {
893
+ index_in_cluster = sector_num & (s->cluster_sectors - 1);
894
+ n = s->cluster_sectors - index_in_cluster;
895
+ if (n > nb_sectors)
897
+ cluster_offset = get_cluster_offset(bs, &m_data, sector_num << 9, 1);
898
+ if (!cluster_offset)
901
+ if (bdrv_pwrite(s->hd, cluster_offset + index_in_cluster * 512, buf, n * 512) != n * 512)
903
+ if (m_data.valid) {
904
+ /* update L2 tables */
905
+ if (vmdk_L2update(bs, &m_data) == -1)
912
+ // update CID on the first write every time the virtual disk is opened
914
+ vmdk_write_cid(bs, time(NULL));
921
+static int vmdk_create(const char *filename, int64_t total_size,
922
+ const char *backing_file, int flags)
925
+ VMDK4Header header;
926
+ uint32_t tmp, magic, grains, gd_size, gt_size, gt_count;
927
+ char *desc_template =
928
+ "# Disk DescriptorFile\n"
931
+ "parentCID=ffffffff\n"
932
+ "createType=\"monolithicSparse\"\n"
934
+ "# Extent description\n"
935
+ "RW %lu SPARSE \"%s\"\n"
937
+ "# The Disk Data Base \n"
940
+ "ddb.virtualHWVersion = \"%d\"\n"
941
+ "ddb.geometry.cylinders = \"%lu\"\n"
942
+ "ddb.geometry.heads = \"16\"\n"
943
+ "ddb.geometry.sectors = \"63\"\n"
944
+ "ddb.adapterType = \"ide\"\n";
946
+ const char *real_filename, *temp_str;
948
+ /* XXX: add support for backing file */
949
+ if (backing_file) {
950
+ return vmdk_snapshot_create(filename, backing_file);
953
+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY | O_LARGEFILE,
957
+ magic = cpu_to_be32(VMDK4_MAGIC);
958
+ memset(&header, 0, sizeof(header));
959
+ header.version = cpu_to_le32(1);
960
+ header.flags = cpu_to_le32(3); /* ?? */
961
+ header.capacity = cpu_to_le64(total_size);
962
+ header.granularity = cpu_to_le64(128);
963
+ header.num_gtes_per_gte = cpu_to_le32(512);
965
+ grains = (total_size + header.granularity - 1) / header.granularity;
966
+ gt_size = ((header.num_gtes_per_gte * sizeof(uint32_t)) + 511) >> 9;
967
+ gt_count = (grains + header.num_gtes_per_gte - 1) / header.num_gtes_per_gte;
968
+ gd_size = (gt_count * sizeof(uint32_t) + 511) >> 9;
970
+ header.desc_offset = 1;
971
+ header.desc_size = 20;
972
+ header.rgd_offset = header.desc_offset + header.desc_size;
973
+ header.gd_offset = header.rgd_offset + gd_size + (gt_size * gt_count);
974
+ header.grain_offset =
975
+ ((header.gd_offset + gd_size + (gt_size * gt_count) +
976
+ header.granularity - 1) / header.granularity) *
977
+ header.granularity;
979
+ header.desc_offset = cpu_to_le64(header.desc_offset);
980
+ header.desc_size = cpu_to_le64(header.desc_size);
981
+ header.rgd_offset = cpu_to_le64(header.rgd_offset);
982
+ header.gd_offset = cpu_to_le64(header.gd_offset);
983
+ header.grain_offset = cpu_to_le64(header.grain_offset);
985
+ header.check_bytes[0] = 0xa;
986
+ header.check_bytes[1] = 0x20;
987
+ header.check_bytes[2] = 0xd;
988
+ header.check_bytes[3] = 0xa;
990
+ /* write all the data */
991
+ write(fd, &magic, sizeof(magic));
992
+ write(fd, &header, sizeof(header));
994
+ ftruncate(fd, header.grain_offset << 9);
996
+ /* write grain directory */
997
+ lseek(fd, le64_to_cpu(header.rgd_offset) << 9, SEEK_SET);
998
+ for (i = 0, tmp = header.rgd_offset + gd_size;
999
+ i < gt_count; i++, tmp += gt_size)
1000
+ write(fd, &tmp, sizeof(tmp));
1002
+ /* write backup grain directory */
1003
+ lseek(fd, le64_to_cpu(header.gd_offset) << 9, SEEK_SET);
1004
+ for (i = 0, tmp = header.gd_offset + gd_size;
1005
+ i < gt_count; i++, tmp += gt_size)
1006
+ write(fd, &tmp, sizeof(tmp));
1008
+ /* compose the descriptor */
1009
+ real_filename = filename;
1010
+ if ((temp_str = strrchr(real_filename, '\\')) != NULL)
1011
+ real_filename = temp_str + 1;
1012
+ if ((temp_str = strrchr(real_filename, '/')) != NULL)
1013
+ real_filename = temp_str + 1;
1014
+ if ((temp_str = strrchr(real_filename, ':')) != NULL)
1015
+ real_filename = temp_str + 1;
1016
+ sprintf(desc, desc_template, time(NULL), (unsigned long)total_size,
1017
+ real_filename, (flags & BLOCK_FLAG_COMPAT6 ? 6 : 4), total_size / (63 * 16));
1019
+ /* write the descriptor */
1020
+ lseek(fd, le64_to_cpu(header.desc_offset) << 9, SEEK_SET);
1021
+ write(fd, desc, strlen(desc));
1027
+static void vmdk_close(BlockDriverState *bs)
1029
+ BDRVVmdkState *s = bs->opaque;
1031
+ qemu_free(s->l1_table);
1032
+ qemu_free(s->l2_cache);
1033
+ bdrv_delete(s->hd);
1034
+ // try to close parent image, if exist
1035
+ vmdk_parent_close(s->hd);
1038
+static void vmdk_flush(BlockDriverState *bs)
1040
+ BDRVVmdkState *s = bs->opaque;
1041
+ bdrv_flush(s->hd);
1044
+BlockDriver bdrv_vmdk = {
1046
+ sizeof(BDRVVmdkState),
1054
+ vmdk_is_allocated,
added
removed
debian/patches/91_security.patch
