Re: [Qemu-devel] [PATCH] qemu: block.c: introducing "fmt:FMT:" prefix to image-filenames

[Uri Lublin]

Anthony Liguori wrote:
> Uri Lublin wrote:
> > Hello,
> >
> > This patch below can be considered as a version 2 of Shahar's "Qemu 
> > image over raw devices" patch
> > http://lists.gnu.org/archive/html/qemu-devel/2008-12/msg01083.html
> >
> > I think we've fixed the security flaw (that was discovered but not 
> > introduced by Shahar's patch).
>
> Doesn't the fmt= option to the block drivers achieve the same thing 
> (except for not probing the backend formats)?

It does only for the leaf image (the writeable one).
While all backing files would be probed.
For example if we have a raw format image A (the base image), and the guest 
writes a fake qcow2 header into the beginning of the disk, and then the VM owner 
asks to create a new qcow2 image B with A as its backing file. In this scenario 
qemu opens A as a qcow2 image. This scenario is a security breach (mentioned by 
Daniel P. Berrange) as the fake qcow2 header may point to any host file.

I need to send a second version (-cdrom is broken). Comments about the concept 
would be appreciated.

Thanks for looking at it,
    Uri.