aboutsummaryrefslogtreecommitdiff
path: root/block/vvfat.c
AgeCommit message (Collapse)Author
2012-05-30block: prevent snapshot mode $TMPDIR symlink attackJim Meyering
In snapshot mode, bdrv_open creates an empty temporary file without checking for mkstemp or close failure, and ignoring the possibility of a buffer overrun given a surprisingly long $TMPDIR. Change the get_tmp_filename function to return int (not void), so that it can inform its two callers of those failures. Also avoid the risk of buffer overrun and do not ignore mkstemp or close failure. Update both callers (in block.c and vvfat.c) to propagate temp-file-creation failure to their callers. get_tmp_filename creates and closes an empty file, while its callers later open that presumed-existing file with O_CREAT. The problem was that a malicious user could provoke mkstemp failure and race to create a symlink with the selected temporary file name, thus causing the qemu process (usually root owned) to open through the symlink, overwriting an attacker-chosen file. This addresses CVE-2012-2652. http://bugzilla.redhat.com/CVE-2012-2652 Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-05-10block: fix snapshot on QEDPaolo Bonzini
QED's opaque data includes a pointer back to the BlockDriverState. This breaks when bdrv_append shuffles data between bs_new and bs_top. To avoid this, add a "rebind" function that tells the driver about the new relationship between the BlockDriverState and its opaque. The patch also adds rebind to VVFAT for completeness, even though it is not used with live snapshots. Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-01-13vvfat: avoid leaking file descriptor in commit_one_file()Stefan Hajnoczi
Reported-by: Dr David Alan Gilbert <davidagilbert@uk.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
2011-12-05vvfat: convert to .bdrv_co_is_allocated()Stefan Hajnoczi
It is trivial to switch from the synchronous .bdrv_is_allocated() interface to .bdrv_co_is_allocated() since vvfat_is_allocated() does not block. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-23vvfat: Add migration blockerKevin Wolf
vvfat caches more or less everything when in writable mode. For migration to work, it would have to be invalidated. Block migration for now when in writable mode (default is readonly). Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-11vvfat: Fix read-write modeKevin Wolf
vvfat used to directly call into the qcow2 block driver instead of using the block.c wrappers. With the coroutine conversion, this stopped working. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
2011-11-04vvfat: reorganize computation of disk geometryPaolo Bonzini
First determine FAT12/16/32, then compute geometry from that for both FDD and HDD. For 1.44MB floppies, and 2.88MB floppies using FAT16, change to 1 sector/cluster. The default remains 2.88MB with FAT12 and 2 sectors/cluster. Both DOS and mkdosfs by default format a 2.88MB floppy as FAT12. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-04vvfat: do not hardcode sector counts in error messagePaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-04vvfat: unify and correct computation of sector countPaolo Bonzini
The sector count is stored in the partition and hence must not include the sectors before its start. At the same time, remove the useless special casing for 1.44 MB floppies. This fixes fsck on VVFAT hard disks, which otherwise tries to seek past the end of the disk. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-04vvfat: need to use first_sectors_number to distinguish fdd/hddPaolo Bonzini
This is consistent with what "real" floppies have, so file(1) now actually recognizes the VVFAT image as a 1.44 MB floppy. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-04vvfat: do not fail if the disk has spare sectorsPaolo Bonzini
If the number of "faked sectors" + the number of sectors that are part of a cluster does not sum up to the total number of sectors, qemu-img convert fails. Read these spare sectors as all zeros. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-11-04vvfat: fix out of bounds array_get usagePaolo Bonzini
When reading the address of the first free entry, you cannot use array_get without first marking all entries as occupied. This is visible if you change the sectors per cluster on a floppy from 2 to 1. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-21block: take lock around bdrv_write implementationsPaolo Bonzini
This does the first part of the conversion to coroutines, by wrapping bdrv_write implementations to take the mutex. Drivers that implement bdrv_write rather than bdrv_co_writev can then benefit from asynchronous operation (at least if the underlying protocol supports it, which is not the case for raw-win32), even though they still operate with a bounce buffer. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-21block: take lock around bdrv_read implementationsPaolo Bonzini
This does the first part of the conversion to coroutines, by wrapping bdrv_read implementations to take the mutex. Drivers that implement bdrv_read rather than bdrv_co_readv can then benefit from asynchronous operation (at least if the underlying protocol supports it, which is not the case for raw-win32), even though they still operate with a bounce buffer. raw-win32 does not need the lock, because it cannot yield. nbd also doesn't probably, but better be safe. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-21block: add a CoMutex to synchronous read driversPaolo Bonzini
The big conversion of bdrv_read/write to coroutines caused the two homonymous callbacks in BlockDriver to become reentrant. It goes like this: 1) bdrv_read is now called in a coroutine, and calls bdrv_read or bdrv_pread. 2) the nested bdrv_read goes through the fast path in bdrv_rw_co_entry; 3) in the common case when the protocol is file, bdrv_co_do_readv calls bdrv_co_readv_em (and from here goes to bdrv_co_io_em), which yields until the AIO operation is complete; 4) if bdrv_read had been called from a bottom half, the main loop is free to iterate again: a device model or another bottom half can then come and call bdrv_read again. This applies to all four of read/write/flush/discard. It would also apply to is_allocated, but it is not used from within coroutines: besides qemu-img.c and qemu-io.c, which operate synchronously, the only user is the monitor. Copy-on-read will introduce a use in the block layer, and will require converting it. The solution is "simply" to convert all drivers to coroutines! We just need to add a CoMutex that is taken around affected operations. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-11vvfat: Fix potential buffer overflowKevin Wolf
path2[PATH_MAX] can be used for the null termination, so make the array big enough to allow this. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-11block/vvfat: Remove unused codeStefan Weil
The unused code was detected using cppcheck. Cc: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-10-11block/vvfat: Fix potential memory leaks and other memory errorsStefan Weil
cppcheck reported memory leaks and mismatched g_malloc() with free() instead of g_free(). Fix these errors. Cc: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2011-09-16Remove blanks before \n in output stringsStefan Weil
Those blanks violate the coding conventions, see scripts/checkpatch.pl. Blanks missing after colons in the changed lines were added. This patch does not try to fix tabs, long lines and other problems in the changed lines, therefore checkpatch.pl reports many violations. Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-09-03Use new macro QEMU_PACKED for packed structuresStefan Weil
Most changes were made using these commands: git grep -la '__attribute__((packed))'|xargs perl -pi -e 's/__attribute__\(\(packed\)\)/QEMU_PACKED/' git grep -la '__attribute__ ((packed))'|xargs perl -pi -e 's/__attribute__ \(\(packed\)\)/QEMU_PACKED/' git grep -la '__attribute__((__packed__))'|xargs perl -pi -e 's/__attribute__\(\(__packed__\)\)/QEMU_PACKED/' git grep -la '__attribute__ ((__packed__))'|xargs perl -pi -e 's/__attribute__ \(\(__packed__\)\)/QEMU_PACKED/' git grep -la '__attribute((packed))'|xargs perl -pi -e 's/__attribute\(\(packed\)\)/QEMU_PACKED/' Whitespace in linux-user/syscall_defs.h was fixed manually to avoid warnings from scripts/checkpatch.pl. Manual changes were also applied to hw/pc.c. I did not fix indentation with tabs in block/vvfat.c. The patch will show 4 errors with scripts/checkpatch.pl. Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2011-08-20Use glib memory allocation and free functionsAnthony Liguori
qemu_malloc/qemu_free no longer exist after this commit. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2011-01-12vvfat: fix a file descriptor leakBlue Swirl
Fix a file descriptor leak, reported by cppcheck: [/src/qemu/block/vvfat.c:759]: (error) Resource leak: dir Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-10-03block/vvfat: Fix compiler warning in debug codeStefan Weil
Fix this compiler warning: ./block/vvfat.c:2285: error: comparison of unsigned expression >= 0 is always true Cc: Blue Swirl <blauwirbel@gmail.com> Cc: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-09-21vvfat: Use cache=unsafeKevin Wolf
The qcow file used for write support in vvfat is a temporary file, so we can use cache=unsafe there. Without this, write support is just too slow to be of any use. Signed-off-by: Kevin Wolf <mail@kevin-wolf.de>
2010-09-21vvfat: Fix double free for opening the image rwKevin Wolf
Allocation and deallocation of bs->opaque is not in the control of a block driver. Therefore it should not set bs->opaque to a data structure used by another bs, or closing the image will lead to a double free. Signed-off-by: Kevin Wolf <mail@kevin-wolf.de>
2010-09-21vvfat: Fix segfault on write to read-only diskKevin Wolf
vvfat tries to set the readonly flag in its open function, but nowadays this is overwritted with the readonly=... command line option. Check in bdrv_write if the vvfat was opened read-only and return an error in this case. Without this check, vvfat tries to access the qcow bs, which is NULL without enabled write support. Signed-off-by: Kevin Wolf <mail@kevin-wolf.de>
2010-08-30vvfat: fat_chksum(): fix access above array boundsLoïc Minier
Signed-off-by: Loïc Minier <loic.minier@linaro.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-05-21vvfat: More build fixes with DEBUGKevin Wolf
Casting a pointer to an int doesn't work on 64 bit platforms. Use the %p printf conversion specifier instead. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-05-21vvfat: Fix compilation with DEBUG definedRiccardo Magliocchetti
gcc does not like passing a NULL where an int value is expected: block/vvfat.c: In function ‘checkpoint’: block/vvfat.c:2868: error: passing argument 2 of ‘remove_mapping’ makes integer from pointer without a cast Signed-off-by: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-05-03block: Open the underlying image file in generic codeKevin Wolf
Format drivers shouldn't need to bother with things like file names, but rather just get an open BlockDriverState for the underlying protocol. This patch introduces this behaviour for bdrv_open implementation. For protocols which need to access the filename to open their file/device/connection/... a new callback bdrv_file_open is introduced which doesn't get an underlying file opened. For now, also some of the more obscure formats use bdrv_file_open because they open() the file themselves instead of using the block.c functions. They need to be fixed in later patches. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-04-25Fix dead initialization, spotted by clang analyzerBlue Swirl
Fix clang warnings: /src/qemu/block/vvfat.c:1102:9: warning: Value stored to 'index3' during its initialization is never read int index3=index1+1; /src/qemu/cmd.c:290:15: warning: Value stored to 'p' during its initialization is never read char *p = result; Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-04-23Replace calls of old bdrv_openKevin Wolf
What is known today as bdrv_open2 becomes the new bdrv_open. All remaining callers of the old function are converted to the new one. In some places they even know the right format, so they should have used bdrv_open2 from the beginning. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2010-03-18Replace assert(0) with abort() or cpu_abort()Blue Swirl
When building with -DNDEBUG, assert(0) will not stop execution so it must not be used for abnormal termination. Use cpu_abort() when in CPU context, abort() otherwise. Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-03-13Fix build with -DNDEBUG in CFLAGSBlue Swirl
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2010-02-10don't dereference NULL after failed strdupJim Meyering
Most of these are obvious NULL-deref bug fixes, for example, the ones in these files: block/curl.c net.c slirp/misc.c and the first one in block/vvfat.c. The others in block/vvfat.c may not lead to an immediate segfault, but I traced the two schedule_rename(..., strdup(path)) uses, and a failed strdup would appear to trigger this assertion in handle_renames_and_mkdirs: assert(commit->path); The conversion to use qemu_strdup in envlist_to_environ is not technically needed, but does avoid a theoretical leak in the caller when strdup fails for one value, but later succeeds in allocating another buffer(plausible, if one string length is much larger than the others). The caller does not know the length of the returned list, and as such can only free pointers until it hits the first NULL. If there are non-NULL pointers beyond the first, their buffers would be leaked. This one is admittedly far-fetched. The two in linux-user/main.c are worth fixing to ensure that an OOM error is diagnosed up front, rather than letting it provoke some harder-to-diagnose secondary error, in case of exec failure, or worse, in case the exec succeeds but with an invalid list of command line options. However, considering how unlikely it is to encounter a failed strdup early in main, this isn't a big deal. Note that adding the required uses of qemu_strdup here and in envlist.c induce link failures because qemu_strdup is not currently in any library they're linked with. So for now, I've omitted those changes, as well as the fixes in target-i386/helper.c and target-sparc/helper.c. If you'd like to see the above discussion (or anything else) in the commit log, just let me know and I'll be happy to adjust. >From 9af42864fd1ea666bd25e2cecfdfae74c20aa8c7 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 8 Feb 2010 18:29:29 +0100 Subject: [PATCH] don't dereference NULL after failed strdup Handle failing strdup by replacing each use with qemu_strdup, so as not to dereference NULL or trigger a failing assertion. * block/curl.c (curl_open): s/\bstrdup\b/qemu_strdup/ * block/vvfat.c (init_directories): Likewise. (get_cluster_count_for_direntry, check_directory_consistency): Likewise. * net.c (parse_host_src_port): Likewise. * slirp/misc.c (fork_exec): Likewise. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-01-26Ask for read-write permissions when opening filesNaphtali Sprei
Found some places that seems needs this explicitly, now that read-write is not the default. Signed-off-by: Naphtali Sprei <nsprei@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2010-01-26block/vvfat.c: fix warnings with _FORTIFY_SOURCEKirill A. Shutemov
CC block/vvfat.o cc1: warnings being treated as errors block/vvfat.c: In function 'commit_one_file': block/vvfat.c:2259: error: ignoring return value of 'ftruncate', declared with attribute warn_unused_result make: *** [block/vvfat.o] Error 1 CC block/vvfat.o In file included from /usr/include/stdio.h:912, from ./qemu-common.h:19, from block/vvfat.c:27: In function 'snprintf', inlined from 'init_directories' at block/vvfat.c:871, inlined from 'vvfat_open' at block/vvfat.c:1068: /usr/include/bits/stdio2.h:65: error: call to __builtin___snprintf_chk will always overflow destination buffer make: *** [block/vvfat.o] Error 1 Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name> Signed-off-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-10-01Revert "Get rid of _t suffix"Anthony Liguori
In the very least, a change like this requires discussion on the list. The naming convention is goofy and it causes a massive merge problem. Something like this _must_ be presented on the list first so people can provide input and cope with it. This reverts commit 99a0949b720a0936da2052cb9a46db04ffc6db29. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-10-01Get rid of _t suffixmalc
Some not so obvious bits, slirp and Xen were left alone for the time being. Signed-off-by: malc <av1474@comtv.ru>
2009-09-30vvfat: fix coding style nitMichael S. Tsirkin
Put space between = and & when taking a pointer, to avoid confusion with old-style "&=". Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
2009-05-28vvfat: one more missing BlockDriver C99 initializer conversionChristoph Hellwig
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-05-27Drop bdrv_create2Kevin Wolf
This patch converts the remaining users of bdrv_create2 to bdrv_create and removes the now unused function. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-05-22Convert all block drivers to new bdrv_createKevin Wolf
Now we can make use of the newly introduced option structures. Instead of having bdrv_create carry more and more parameters (which are format specific in most cases), just pass a option structure as defined by the driver itself. bdrv_create2() contains an emulation of the old interface to simplify the transition. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2009-05-14Move block drivers into their own directoryAnthony Liguori
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>