summaryrefslogtreecommitdiffstats
path: root/block/cloop.c
Commit message (Collapse)AuthorAgeFilesLines
* cloop: Handle failure for potentially large allocationsKevin Wolf2014-08-151-3/+20
| | | | | | | | | | | | Some code in the block layer makes potentially huge allocations. Failure is not completely unexpected there, so avoid aborting qemu and handle out-of-memory situations gracefully. This patch addresses the allocations in the cloop block driver. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Benoit Canet <benoit@irqsave.net>
* block/cloop: use PRIu32 format specifier for uint32_tStefan Hajnoczi2014-04-231-6/+6
| | | | | | | | | PRIu32 is the format string specifier for uint32_t, let's use it. Variables ->block_size, ->n_blocks, and i are all uint32_t. Suggested-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block/cloop: fix offsets[] size off-by-oneStefan Hajnoczi2014-04-011-7/+5
| | | | | | | | | | | | | | | | | | | | | | cloop stores the number of compressed blocks in the n_blocks header field. The file actually contains n_blocks + 1 offsets, where the extra offset is the end-of-file offset. The following line in cloop_read_block() results in an out-of-bounds offsets[] access: uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num]; This patch allocates and loads the extra offset so that cloop_read_block() works correctly when the last block is accessed. Notice that we must free s->offsets[] unconditionally now since there is always an end-of-file offset. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* block/cloop: refuse images with bogus offsets (CVE-2014-0144)Stefan Hajnoczi2014-04-011-5/+29
| | | | | | | | | | | | | | The offsets[] array allows efficient seeking and tells us the maximum compressed data size. If the offsets are bogus the maximum compressed data size will be unrealistic. This could cause g_malloc() to abort and bogus offsets mean the image is broken anyway. Therefore we should refuse such images. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)Stefan Hajnoczi2014-04-011-0/+9
| | | | | | | | | | | | | | | Limit offsets_size to 512 MB so that: 1. g_malloc() does not abort due to an unreasonable size argument. 2. offsets_size does not overflow the bdrv_pread() int size argument. This limit imposes a maximum image size of 16 TB at 256 KB block size. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)Stefan Hajnoczi2014-04-011-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following integer overflow in offsets_size can lead to out-of-bounds memory stores when n_blocks has a huge value: uint32_t n_blocks, offsets_size; [...] ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4); [...] s->n_blocks = be32_to_cpu(s->n_blocks); /* read offsets */ offsets_size = s->n_blocks * sizeof(uint64_t); s->offsets = g_malloc(offsets_size); [...] for(i=0;i<s->n_blocks;i++) { s->offsets[i] = be64_to_cpu(s->offsets[i]); offsets_size can be smaller than n_blocks due to integer overflow. Therefore s->offsets[] is too small when the for loop byteswaps offsets. This patch refuses to open files if offsets_size would overflow. Note that changing the type of offsets_size is not a fix since 32-bit hosts still only have 32-bit size_t. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* block/cloop: validate block_size header field (CVE-2014-0144)Stefan Hajnoczi2014-04-011-0/+23
| | | | | | | | | | | | | | Avoid unbounded s->uncompressed_block memory allocation by checking that the block_size header field has a reasonable value. Also enforce the assumption that the value is a non-zero multiple of 512. These constraints conform to cloop 2.639's code so we accept existing image files. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* bdrv: Use "Error" for opening imagesMax Reitz2013-09-121-1/+2
| | | | | | | Add an Error ** parameter to BlockDriver.bdrv_open and BlockDriver.bdrv_file_open to allow more specific error messages. Signed-off-by: Max Reitz <mreitz@redhat.com>
* block: Add options QDict to .bdrv_open()Kevin Wolf2013-03-151-1/+1
| | | | | | | Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* cloop: Fix bdrv_open() error handlingKevin Wolf2013-02-011-10/+19
| | | | | | | | Return -errno instead of -1 on errors. While touching the code, fix a memory leak. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* misc: move include files to include/qemu/Paolo Bonzini2012-12-191-1/+1
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* block: move include files to include/block/Paolo Bonzini2012-12-191-1/+1
| | | | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* block/cloop: Use g_free instead of freeDong Xu Wang2011-11-041-3/+3
| | | | | | | | | | Fix mismatching allocation and deallocation: g_free should be used to pair with g_malloc. Reviewed-by: Andreas Färber <afaerber@suse.de> Reviewed_by: Ray Wang <raywang@linux.vnet.ibm.com> Signed-off-by: Dong Xu Wang <wdongxu@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block/cloop: Fix coding styleDong Xu Wang2011-11-041-52/+63
| | | | | | | | | Fix coding style in block/cloop.c. Reviewed-by: Andreas Färber <afaerber@suse.de> Reviewed_by: Ray Wang <raywang@linux.vnet.ibm.com> Signed-off-by: Dong Xu Wang <wdongxu@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block: take lock around bdrv_read implementationsPaolo Bonzini2011-10-211-1/+12
| | | | | | | | | | | | | | | | This does the first part of the conversion to coroutines, by wrapping bdrv_read implementations to take the mutex. Drivers that implement bdrv_read rather than bdrv_co_readv can then benefit from asynchronous operation (at least if the underlying protocol supports it, which is not the case for raw-win32), even though they still operate with a bounce buffer. raw-win32 does not need the lock, because it cannot yield. nbd also doesn't probably, but better be safe. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block: add a CoMutex to synchronous read driversPaolo Bonzini2011-10-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The big conversion of bdrv_read/write to coroutines caused the two homonymous callbacks in BlockDriver to become reentrant. It goes like this: 1) bdrv_read is now called in a coroutine, and calls bdrv_read or bdrv_pread. 2) the nested bdrv_read goes through the fast path in bdrv_rw_co_entry; 3) in the common case when the protocol is file, bdrv_co_do_readv calls bdrv_co_readv_em (and from here goes to bdrv_co_io_em), which yields until the AIO operation is complete; 4) if bdrv_read had been called from a bottom half, the main loop is free to iterate again: a device model or another bottom half can then come and call bdrv_read again. This applies to all four of read/write/flush/discard. It would also apply to is_allocated, but it is not used from within coroutines: besides qemu-img.c and qemu-io.c, which operate synchronously, the only user is the monitor. Copy-on-read will introduce a use in the block layer, and will require converting it. The solution is "simply" to convert all drivers to coroutines! We just need to add a CoMutex that is taken around affected operations. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* Use glib memory allocation and free functionsAnthony Liguori2011-08-201-3/+3
| | | | | | qemu_malloc/qemu_free no longer exist after this commit. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
* cloop: use qemu block APIChristoph Hellwig2010-05-171-14/+12
| | | | | | | | | Use bdrv_pwrite to access the backing device instead of pread, and convert the driver to implementing the bdrv_open method which gives it an already opened BlockDriverState for the underlying device. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* cloop: use preadChristoph Hellwig2010-05-171-15/+17
| | | | | | | | Use pread instead of lseek + read in preparation of using the qemu block API. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block: Open the underlying image file in generic codeKevin Wolf2010-05-031-1/+1
| | | | | | | | | | | | | | | Format drivers shouldn't need to bother with things like file names, but rather just get an open BlockDriverState for the underlying protocol. This patch introduces this behaviour for bdrv_open implementation. For protocols which need to access the filename to open their file/device/connection/... a new callback bdrv_file_open is introduced which doesn't get an underlying file opened. For now, also some of the more obscure formats use bdrv_file_open because they open() the file themselves instead of using the block.c functions. They need to be fixed in later patches. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* Move block drivers into their own directoryAnthony Liguori2009-05-141-0/+171
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
OpenPOWER on IntegriCloud