From: Ian Jackson <iwj@mariner.uk.xensource.com>
Date: Fri, 23 May 2008 17:43:27 +0000 (+0100)
Subject: Fix COW extendability for vulnerability fix.
X-Git-Tag: xen-3.3.0-rc1~181^2^2
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ab29271f0917d276245388f4016633bbe0c67f65;p=qemu-xen-4.5-testing.git

Fix COW extendability for vulnerability fix.

(Thanks to report from Daniel Berrange.
 Corresponds to my email to xen-devel of 2008-02-27
 Subject: Re: [Xen-devel] [PATCH] ioemu block device extent checks.)
---

diff --git a/block-qcow.c b/block-qcow.c
index 0ac2b42b4..63daaad3e 100644
--- a/block-qcow.c
+++ b/block-qcow.c
@@ -95,7 +95,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
     int len, i, shift, ret;
     QCowHeader header;
 
-    ret = bdrv_file_open(&s->hd, filename, flags);
+    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_EXTENDABLE);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
diff --git a/block-qcow2.c b/block-qcow2.c
index 577210b21..eebc26032 100644
--- a/block-qcow2.c
+++ b/block-qcow2.c
@@ -191,7 +191,7 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
     int len, i, shift, ret;
     QCowHeader header;
 
-    ret = bdrv_file_open(&s->hd, filename, flags);
+    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_EXTENDABLE);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &header, sizeof(header)) != sizeof(header))
diff --git a/block-raw-posix.c b/block-raw-posix.c
index 6b0009e56..050683624 100644
--- a/block-raw-posix.c
+++ b/block-raw-posix.c
@@ -923,4 +923,6 @@ BlockDriver bdrv_host_device = {
     .bdrv_set_locked = raw_set_locked,
     /* generic scsi device */
     .bdrv_ioctl = raw_ioctl,
+
+    .bdrv_flags = BLOCK_DRIVER_FLAG_EXTENDABLE
 };
diff --git a/block-raw-win32.c b/block-raw-win32.c
index 43d3f6c4c..77d1936b8 100644
--- a/block-raw-win32.c
+++ b/block-raw-win32.c
@@ -545,4 +545,6 @@ BlockDriver bdrv_host_device = {
     .bdrv_pread = raw_pread,
     .bdrv_pwrite = raw_pwrite,
     .bdrv_getlength = raw_getlength,
+
+    .bdrv_flags = BLOCK_DRIVER_FLAG_EXTENDABLE;
 };
diff --git a/block-vmdk.c b/block-vmdk.c
index 9b5fb7346..e70dae30e 100644
--- a/block-vmdk.c
+++ b/block-vmdk.c
@@ -378,7 +378,7 @@ static int vmdk_open(BlockDriverState *bs, const char *filename, int flags)
         flags = BDRV_O_RDONLY;
     fprintf(stderr, "(VMDK) image open: flags=0x%x filename=%s\n", flags, bs->filename);
 
-    ret = bdrv_file_open(&s->hd, filename, flags);
+    ret = bdrv_file_open(&s->hd, filename, flags | BDRV_O_EXTENDABLE);
     if (ret < 0)
         return ret;
     if (bdrv_pread(s->hd, 0, &magic, sizeof(magic)) != sizeof(magic))
diff --git a/block.c b/block.c
index 72003d312..8932ff845 100644
--- a/block.c
+++ b/block.c
@@ -126,20 +126,23 @@ void path_combine(char *dest, int dest_size,
 static int bdrv_rw_badreq_sectors(BlockDriverState *bs,
 				int64_t sector_num, int nb_sectors)
 {
-    return
+    return (
 	nb_sectors < 0 ||
 	nb_sectors > bs->total_sectors ||
-	sector_num > bs->total_sectors - nb_sectors;
+	sector_num > bs->total_sectors - nb_sectors
+	) && !bs->extendable;
 }
 
 static int bdrv_rw_badreq_bytes(BlockDriverState *bs,
 				  int64_t offset, int count)
 {
     int64_t size = bs->total_sectors << SECTOR_BITS;
-    return
+    return (
 	count < 0 ||
 	count > size ||
-	offset > size - count;
+	offset > size - count
+	) && !bs->extendable;
+    
 }
 
 static void bdrv_register(BlockDriver *bdrv)
@@ -354,6 +357,12 @@ int bdrv_open2(BlockDriverState *bs, const char *filename, int flags,
     bs->is_temporary = 0;
     bs->encrypted = 0;
 
+    if (flags & BDRV_O_EXTENDABLE) {
+	if (!(drv->bdrv_flags & BLOCK_DRIVER_FLAG_EXTENDABLE))
+	    return -ENOSYS;
+	bs->extendable = 1;
+    }
+
     if (flags & BDRV_O_SNAPSHOT) {
         BlockDriverState *bs1;
         int64_t total_size;
diff --git a/block.h b/block.h
index b73050556..7a98f2dc8 100644
--- a/block.h
+++ b/block.h
@@ -45,6 +45,8 @@ typedef struct QEMUSnapshotInfo {
                                      it (default for
                                      bdrv_file_open()) */
 #define BDRV_O_DIRECT      0x0020
+#define BDRV_O_EXTENDABLE  0x0080 /* allow writes out of original size range;
+				     only effective for some drivers */
 
 #ifndef QEMU_IMG
 void bdrv_info(void);
diff --git a/block_int.h b/block_int.h
index 137000e14..d635e247c 100644
--- a/block_int.h
+++ b/block_int.h
@@ -30,6 +30,8 @@
 #define BLOCK_FLAG_COMPRESS	2
 #define BLOCK_FLAG_COMPAT6	4
 
+#define BLOCK_DRIVER_FLAG_EXTENDABLE  0x0001u
+
 struct BlockDriver {
     const char *format_name;
     int instance_size;
@@ -85,6 +87,7 @@ struct BlockDriver {
     /* to control generic scsi devices */
     int (*bdrv_ioctl)(BlockDriverState *bs, unsigned long int req, void *buf);
 
+    unsigned bdrv_flags;
     BlockDriverAIOCB *free_aiocb;
     struct BlockDriver *next;
 };
@@ -97,6 +100,7 @@ struct BlockDriverState {
     int locked;    /* if true, the media cannot temporarily be ejected */
     int encrypted; /* if true, the media is encrypted */
     int sg;        /* if true, the device is a /dev/sg* */
+    int extendable;/* if true, we may write out of original range */
     /* event callback when inserting/removing */
     void (*change_cb)(void *opaque);
     void *change_opaque;