summaryrefslogtreecommitdiff
path: root/block_int.h
diff options
context:
space:
mode:
authoraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>2009-03-03 17:37:16 +0000
committeraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>2009-03-03 17:37:16 +0000
commit49cb7bcd7f7d310c04ae194a5c29c683bfb010d1 (patch)
tree4009c7e0fa52a55d83d298217081d7f9afbad8e6 /block_int.h
parent65e4876cf5bfa5c366b3cafc6d58553217406354 (diff)
downloadqemu-49cb7bcd7f7d310c04ae194a5c29c683bfb010d1.tar.gz
qemu-49cb7bcd7f7d310c04ae194a5c29c683bfb010d1.tar.bz2
qemu-49cb7bcd7f7d310c04ae194a5c29c683bfb010d1.zip
Fix CVE-2008-0928 - insufficient block device address range checking (Anthony Liguori)
Introduce a growable flag that's set by bdrv_file_open(). Block devices should never be growable, only files that are being used by block devices. I went through Fabrice's early comments about the patch that was first applied. While I disagree with that patch, I also disagree with Fabrice's suggestion. There's no good reason to do the checks in the block drivers themselves. It just increases the possibility that this bug could show up again. Since we're calling bdrv_getlength() to determine the length, we're giving the block drivers a chance to chime in and let us know what range is valid. Basically, this patch makes the BlockDriver API guarantee that all requests are within 0..bdrv_getlength() which to me seems like a Good Thing. What do others think? Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6677 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'block_int.h')
-rw-r--r--block_int.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/block_int.h b/block_int.h
index 781789c9e1..e1943aaa64 100644
--- a/block_int.h
+++ b/block_int.h
@@ -121,6 +121,9 @@ struct BlockDriverState {
uint64_t rd_ops;
uint64_t wr_ops;
+ /* Whether the disk can expand beyond total_sectors */
+ int growable;
+
/* NOTE: the following infos are only hints for real hardware
drivers. They are not used by the block driver */
int cyls, heads, secs, translation;