qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] bd385a: qcow2: Don't open data_file with BDRV

From: Richard Henderson
Subject: [Qemu-commits] [qemu/qemu] bd385a: qcow2: Don't open data_file with BDRV_O_NO_IO
Date: Wed, 03 Jul 2024 11:26:25 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: bd385a5298d7062668e804d73944d52aec9549f1
      
https://github.com/qemu/qemu/commit/bd385a5298d7062668e804d73944d52aec9549f1
  Author: Kevin Wolf <kwolf@redhat.com>
  Date:   2024-07-02 (Tue, 02 Jul 2024)

  Changed paths:
    M block/qcow2.c
    M tests/qemu-iotests/061
    M tests/qemu-iotests/061.out

  Log Message:
  -----------
  qcow2: Don't open data_file with BDRV_O_NO_IO

One use case for 'qemu-img info' is verifying that untrusted images
don't reference an unwanted external file, be it as a backing file or an
external data file. To make sure that calling 'qemu-img info' can't
already have undesired side effects with a malicious image, just don't
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
I/O, we don't need to have it open.

This changes the output of iotests case 061, which used 'qemu-img info'
to show that opening an image with an invalid data file fails. After
this patch, it succeeds. Replace this part of the test with a qemu-io
call, but keep the final 'qemu-img info' to show that the invalid data
file is correctly displayed in the output.

Fixes: CVE-2024-4467
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>


  Commit: 2eb42a728d27a43fdcad5f37d3f65706ce6deba5
      
https://github.com/qemu/qemu/commit/2eb42a728d27a43fdcad5f37d3f65706ce6deba5
  Author: Kevin Wolf <kwolf@redhat.com>
  Date:   2024-07-02 (Tue, 02 Jul 2024)

  Changed paths:
    M tests/qemu-iotests/244

  Log Message:
  -----------
  iotests/244: Don't store data-file with protocol in image

We want to disable filename parsing for data files because it's too easy
to abuse in malicious image files. Make the test ready for the change by
passing the data file explicitly in command line options.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>


  Commit: 7e1110664ecbc4826f3c978ccb06b6c1bce823e6
      
https://github.com/qemu/qemu/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6
  Author: Kevin Wolf <kwolf@redhat.com>
  Date:   2024-07-02 (Tue, 02 Jul 2024)

  Changed paths:
    M tests/qemu-iotests/270

  Log Message:
  -----------
  iotests/270: Don't store data-file with json: prefix in image

We want to disable filename parsing for data files because it's too easy
to abuse in malicious image files. Make the test ready for the change by
passing the data file explicitly in command line options.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>


  Commit: 7ead946998610657d38d1a505d5f25300d4ca613
      
https://github.com/qemu/qemu/commit/7ead946998610657d38d1a505d5f25300d4ca613
  Author: Kevin Wolf <kwolf@redhat.com>
  Date:   2024-07-02 (Tue, 02 Jul 2024)

  Changed paths:
    M block.c

  Log Message:
  -----------
  block: Parse filenames only when explicitly requested

When handling image filenames from legacy options such as -drive or from
tools, these filenames are parsed for protocol prefixes, including for
the json:{} pseudo-protocol.

This behaviour is intended for filenames that come directly from the
command line and for backing files, which may come from the image file
itself. Higher level management tools generally take care to verify that
untrusted images don't contain a bad (or any) backing file reference;
'qemu-img info' is a suitable tool for this.

However, for other files that can be referenced in images, such as
qcow2 data files or VMDK extents, the string from the image file is
usually not verified by management tools - and 'qemu-img info' wouldn't
be suitable because in contrast to backing files, it already opens these
other referenced files. So here the string should be interpreted as a
literal local filename. More complex configurations need to be specified
explicitly on the command line or in QMP.

This patch changes bdrv_open_inherit() so that it only parses filenames
if a new parameter parse_filename is true. It is set for the top level
in bdrv_open(), for the file child and for the backing file child. All
other callers pass false and disable filename parsing this way.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>


  Commit: 727f4a780033bd29e63de4443e0461af05c93eaa
      
https://github.com/qemu/qemu/commit/727f4a780033bd29e63de4443e0461af05c93eaa
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2024-07-03 (Wed, 03 Jul 2024)

  Changed paths:
    M block.c
    M block/qcow2.c
    M tests/qemu-iotests/061
    M tests/qemu-iotests/061.out
    M tests/qemu-iotests/244
    M tests/qemu-iotests/270

  Log Message:
  -----------
  Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging

Block layer patches (CVE-2024-4467)

- Don't open qcow2 data files in 'qemu-img info'
- Disallow protocol prefixes for qcow2 data files, VMDK extent files and
  other child nodes that are neither 'file' nor 'backing'

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmaEKQwRHGt3b2xmQHJl
# ZGhhdC5jb20ACgkQfwmycsiPL9YgMA/+OeQf0veFb02ZNqf907Etz8/DvnqbiWUN
# 0aT5z5x8ilZQIiEDbFtLKgF3A/WO7phyCKk1q1dbRNbc1ZaWFW7mTaJM2ew++EuB
# fq0mnskLt/GVSqTReO4od7flsssp3sEDxs74yuyNITIUqui4we9WK2lLRiAv3aco
# 2NbyNeMHJxIW+QlOO3R62i24yjQaLyg/YekmiIK8itQkpKuI80fiVgor5W3RR0P0
# 71AVSHC0Edv5eavmiRqmQ+pfSI8tlINsN1s5jvxge6XpVTaL8NHsgH3LVv1R3Qtx
# Uo9hp6lQboAfc4I06gf+fcsYSBRiGCwA/J+JsWusX4FLaaTNHLt5eJAEJhfZlioj
# wgTqpy2ImRu5lcuLjLWRu4cLapPLI6CSwf4/lG9/szmRA/1UtOKpquKeTuCwMl9Y
# XEVoNDzo7GpfSb7YONo7fU7kq00OuEEAn0he7eNd2UU+Ao9Abi7JvY+fKx71FHo3
# k24SQVhVJihV1IEC4psCtaQm2bB/jdMr0jB44zHLtmqeUMLrrVf64cSAntp+2KRa
# sINBXA5OeblGKQ7FoAzc5NNNveSdF1ioRCvKB3MlHzI+efzRS7+I3wwh2Uz1Uwfo
# sivg+dAXQQBKVXn8UbfznFyEKueT0RW5CUbfeEqGQ/ocw7iTrXABsX+tjcktxl8Q
# zrHZNoAz6Ds=
# =7LWn
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 02 Jul 2024 09:21:32 AM PDT
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]

* tag 'for-upstream' of https://repo.or.cz/qemu/kevin:
  block: Parse filenames only when explicitly requested
  iotests/270: Don't store data-file with json: prefix in image
  iotests/244: Don't store data-file with protocol in image
  qcow2: Don't open data_file with BDRV_O_NO_IO

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Compare: https://github.com/qemu/qemu/compare/1a2d52c7fcae...727f4a780033

To unsubscribe from these emails, change your notification settings at 
https://github.com/qemu/qemu/settings/notifications
reply via email to
[Prev in Thread] Current Thread [Next in Thread]