qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Image probing: how it can be insecure, and what we coul

From: Eric Blake
Subject: Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it
Date: Thu, 06 Nov 2014 14:02:18 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 
On 11/06/2014 01:43 PM, Markus Armbruster wrote:

>> Actually, qed requires the backing format to be recorded (it is
>> non-optional) and is therefore immune to probing problems of backing
>> files.  That's one thing it got right.
> 
> If I read the code correctly:
> 
> QED has a feature bit QED_F_BACKING_FORMAT_NO_PROBE.
> 
> It is changed when you set the backing file format.  Setting format to
> "raw" sets the flag, anything else (including nothing) clears the flag.
> The actual non-raw format is not recorded.
> 
> Creating an image counts as setting the backing file format.
> 
> If the flag is set, open uses "raw"for the backing file (no probing).
> 
> If it's unset, open probes, and the probe may yield "raw".

Eww.  Well, looks like a deficiency in the qed spec, and maybe all that
is needed to plug it is:

If the probe yields "raw", refuse to open the backing file (or put
another way, either the probe MUST find a non-raw file, or the user has
a bug that they forgot to set the raw bit so we refuse to open the file
to point out their bug).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]