Fix CVE-2008-0928 - insufficient block device address range checking (Anthony Liguori)
[sniper_test.git] / block-parallels.c
blob8a8ec63da6177402ab3ecf2f543505787db19ac9
1 /*
2 * Block driver for Parallels disk image format
4 * Copyright (c) 2007 Alex Beregszaszi
6 * This code is based on comparing different disk images created by Parallels.
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 * THE SOFTWARE.
26 #include "qemu-common.h"
27 #include "block_int.h"
29 /**************************************************************/
31 #define HEADER_MAGIC "WithoutFreeSpace"
32 #define HEADER_VERSION 2
33 #define HEADER_SIZE 64
35 // always little-endian
36 struct parallels_header {
37 char magic[16]; // "WithoutFreeSpace"
38 uint32_t version;
39 uint32_t heads;
40 uint32_t cylinders;
41 uint32_t tracks;
42 uint32_t catalog_entries;
43 uint32_t nb_sectors;
44 char padding[24];
45 } __attribute__((packed));
47 typedef struct BDRVParallelsState {
48 int fd;
50 uint32_t *catalog_bitmap;
51 int catalog_size;
53 int tracks;
54 } BDRVParallelsState;
56 static int parallels_probe(const uint8_t *buf, int buf_size, const char *filename)
58 const struct parallels_header *ph = (const void *)buf;
60 if (buf_size < HEADER_SIZE)
61 return 0;
63 if (!memcmp(ph->magic, HEADER_MAGIC, 16) &&
64 (le32_to_cpu(ph->version) == HEADER_VERSION))
65 return 100;
67 return 0;
70 static int parallels_open(BlockDriverState *bs, const char *filename, int flags)
72 BDRVParallelsState *s = bs->opaque;
73 int fd, i;
74 struct parallels_header ph;
76 fd = open(filename, O_RDWR | O_BINARY | O_LARGEFILE);
77 if (fd < 0) {
78 fd = open(filename, O_RDONLY | O_BINARY | O_LARGEFILE);
79 if (fd < 0)
80 return -1;
83 bs->read_only = 1; // no write support yet
85 s->fd = fd;
87 if (read(fd, &ph, sizeof(ph)) != sizeof(ph))
88 goto fail;
90 if (memcmp(ph.magic, HEADER_MAGIC, 16) ||
91 (le32_to_cpu(ph.version) != HEADER_VERSION)) {
92 goto fail;
95 bs->total_sectors = le32_to_cpu(ph.nb_sectors);
97 if (lseek(s->fd, 64, SEEK_SET) != 64)
98 goto fail;
100 s->tracks = le32_to_cpu(ph.tracks);
102 s->catalog_size = le32_to_cpu(ph.catalog_entries);
103 s->catalog_bitmap = qemu_malloc(s->catalog_size * 4);
104 if (read(s->fd, s->catalog_bitmap, s->catalog_size * 4) !=
105 s->catalog_size * 4)
106 goto fail;
107 for (i = 0; i < s->catalog_size; i++)
108 le32_to_cpus(&s->catalog_bitmap[i]);
110 return 0;
111 fail:
112 if (s->catalog_bitmap)
113 qemu_free(s->catalog_bitmap);
114 close(fd);
115 return -1;
118 static inline int seek_to_sector(BlockDriverState *bs, int64_t sector_num)
120 BDRVParallelsState *s = bs->opaque;
121 uint32_t index, offset, position;
123 index = sector_num / s->tracks;
124 offset = sector_num % s->tracks;
126 // not allocated
127 if ((index > s->catalog_size) || (s->catalog_bitmap[index] == 0))
128 return -1;
130 position = (s->catalog_bitmap[index] + offset) * 512;
132 // fprintf(stderr, "sector: %llx index=%x offset=%x pointer=%x position=%x\n",
133 // sector_num, index, offset, s->catalog_bitmap[index], position);
135 if (lseek(s->fd, position, SEEK_SET) != position)
136 return -1;
138 return 0;
141 static int parallels_read(BlockDriverState *bs, int64_t sector_num,
142 uint8_t *buf, int nb_sectors)
144 BDRVParallelsState *s = bs->opaque;
146 while (nb_sectors > 0) {
147 if (!seek_to_sector(bs, sector_num)) {
148 if (read(s->fd, buf, 512) != 512)
149 return -1;
150 } else
151 memset(buf, 0, 512);
152 nb_sectors--;
153 sector_num++;
154 buf += 512;
156 return 0;
159 static void parallels_close(BlockDriverState *bs)
161 BDRVParallelsState *s = bs->opaque;
162 qemu_free(s->catalog_bitmap);
163 close(s->fd);
166 BlockDriver bdrv_parallels = {
167 "parallels",
168 sizeof(BDRVParallelsState),
169 parallels_probe,
170 parallels_open,
171 parallels_read,
172 NULL,
173 parallels_close,