corrected size in block_devices on darwin, linux

osquery/core/darwin/conversions.cpp

@@ -65,7 +65,7 @@ std::string stringFromCFData(const CFDataRef& cf_data) {
 }
 
 std::string stringFromCFNumber(const CFDataRef& cf_number) {
-  return stringFromCFNumber(cf_number, kCFNumberIntType);
+  return stringFromCFNumber(cf_number, CFNumberGetType((CFNumberRef)cf_number));
 }
 
 std::string stringFromCFNumber(const CFDataRef& cf_number, CFNumberType type) {

osquery/events/darwin/iokit.cpp

@@ -90,6 +90,25 @@ std::string getIOKitProperty(const CFMutableDictionaryRef& details,
   return value;
 }
 
+long long int getNumIOKitProperty(const CFMutableDictionaryRef& details,
+                             const std::string& key) {
+  // Get a property from the device.
+  auto cfkey = CFStringCreateWithCString(
+      kCFAllocatorDefault, key.c_str(), kCFStringEncodingUTF8);
+  auto property = CFDictionaryGetValue(details, cfkey);
+  CFRelease(cfkey);
+
+  // Several supported ways of parsing IOKit-encoded data.
+  if (property && CFGetTypeID(property) == CFNumberGetTypeID()) {
+    CFNumberType type = CFNumberGetType((CFNumberRef)property);
+    long long int value;
+    CFNumberGetValue((CFNumberRef)property, type, &value);
+    return value;
+  }
+
+  return 0;
+}
+
 void IOKitEventPublisher::restart() {
   static std::vector<const std::string*> device_classes = {
       &kIOUSBDeviceClassName_,

osquery/events/darwin/iokit.h

@@ -67,6 +67,8 @@ struct IOKitPCIProperties {
 
 std::string getIOKitProperty(const CFMutableDictionaryRef& details,
                              const std::string& key);
+long long int getNumIOKitProperty(const CFMutableDictionaryRef& details,
+                             const std::string& key);
 
 inline void idToHex(std::string& id) {
   long base = 0;

osquery/tables/system/darwin/block_devices.cpp

@@ -35,8 +35,10 @@ void genIOMediaDevice(const io_service_t& device,
 
   r["uuid"] = getIOKitProperty(properties, "UUID");
   r["name"] = "/dev/" + getIOKitProperty(properties, "BSD Name");
-  r["size"] = getIOKitProperty(properties, "Size");
-
+  r["block_size"] = getIOKitProperty(properties, "Preferred Block Size");
+  auto disk_size = getNumIOKitProperty(properties, "Size");
+  auto block_size = getNumIOKitProperty(properties, "Preferred Block Size");
+  r["size"] = boost::lexical_cast<std::string>(disk_size/block_size);
   auto type = getIOKitProperty(properties, "Whole");
   if (type == "1") {
     // The "Whole" property applies to the entire disk entry, not partitions.

osquery/tables/system/linux/block_devices.cpp

@@ -44,6 +44,11 @@ static void getBlockDevice(struct udev_device *dev, QueryData &results) {
     r["size"] = size;
   }
 
+  const char *block_size = udev_device_get_sysattr_value(dev, "queue/logical_block_size");
+  if (block_size != nullptr) {
+    r["block_size"] = block_size;
+  }
+
   subdev = udev_device_get_parent_with_subsystem_devtype(dev, "scsi", nullptr);
   if (subdev != nullptr) {
     const char *model = udev_device_get_sysattr_value(subdev, "model");

specs/posix/block_devices.table

@@ -5,7 +5,8 @@ schema([
     Column("parent", TEXT, "Block device parent name"),
     Column("vendor", TEXT, "Block device vendor string"),
     Column("model", TEXT, "Block device model string identifier"),
-    Column("size", BIGINT, "Block device size in bytes"),
+    Column("size", BIGINT, "Block device size in blocks"),
+    Column("block_size", INTEGER, "Block size in bytes"),
     Column("uuid", TEXT, "Block device Universally Unique Identifier"),
     Column("type", TEXT, "Block device type string"),
     Column("label", TEXT, "Block device label string"),