qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC for-2.3 1/1] block: New command line option

From: Paolo Bonzini
Subject: Re: [Qemu-devel] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing
Date: Mon, 23 Mar 2015 18:50:59 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 23/03/2015 18:48, Eric Blake wrote:
>> Why can't libvirt just add ,format=raw instead of leaving out the
>> format key altogether?
> 
> Libvirt DOES add format=raw.  This patch is an extra insurance
> policy to guarantee that libvirt does not have any code paths that
> omit the explicit format (as we have had a couple of CVEs in
> libvirt over the years where that was the case).

And where's the extra insurance policy to guarantee that QEMU does not
have any code paths that ignore the new command line option?

This is really borderline security theater.  Bugs happen, we fix them.
 Even better, Kevin now has implemented a strong mitigation for CVEs
like this, that won't allow guests to transmute a probed raw image
into another format.  There certainly hasn't been enough discussion
for this to get into 2.3.

Paolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVEFJ+AAoJEL/70l94x66D/OEH/1j58fDg1W8XBjtaGQ12YsL6
HLKYaU2ObaxY3m5sX+mlMr1ftn/5kQnwVC7xx88xDCq/UG+GuSBRrT+SbxZtkdl4
SM9d0fATaK3yC0o0q3SWXeURAvi0bVOEoGqdpvwgrgGTcGkZPzsh9TwQySkupa8J
mQns/HTF3b7JWJvoVCseTOP99Hq+6+2DmWFbzyfisah/f2nlgNhPULSj0KZQmWxP
dMHPn9PG3NXV3E/xelTXWsMDuJKnnMu3w5MbULbNYDkwJe2f5bBOl6/AV4zqHZ5U
49Ewb1Mdcw+6r3aro2kCQ3wEYKnEpLb/Mb6Lj/i6OUXbA+0TlBWX906BBze+6SI=
=BWO8
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]