Re: [Qemu-devel] [PATCH V6 0/2] Add JSON output to qemu-img info

[Richard W.M. Jones]

On Mon, Aug 27, 2012 at 09:15:50AM +0200, Benoît Canet wrote:
> This patchset add a JSON output mode to the qemu-img info command.
> It's a rewrite from scratch of the original patchset by Wenchao Xia
> following Anthony Liguori advices on JSON formating.

I won't comment on the patch set, but something like this patch seems
essential to avoid unintended security flaws in parsing the output of
'qemu-img info'.

$ qemu-img create -f qcow2 test.qcow2 10M
$ mv test.qcow2 "$(echo -e '/tmp/foo\ncluster_size: bar')"
$ qemu-img info /tmp/foo*
image: /tmp/foo
cluster_size: bar                   <---- note
file format: qcow2
virtual size: 10M (10485760 bytes)
disk size: 136K
cluster_size: 65536

See the attached script which tries to exploit the backing file too:

$ ./bad-qemu-img-info.sh 
Formatting 'test.qcow2', fmt=qcow2 size=10485760 backing_file='backing
file formatx foo' encryption=off cluster_size=65536 
image: test.qcow2
file format: qcow2
virtual size: 10M (10485760 bytes)
disk size: 196K
cluster_size: 65536
backing file: backing
file format: foo                    <---- note

I think this change should be backported to stable branches as well.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

bad-qemu-img-info.sh
Description: Bourne shell script