[Stable-9.0.2 18/22] qcow2: Don't open data_file with BDRV_O_NO

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-9.0.2 18/22] qcow2: Don't open data_file with BDRV_O_NO_IO

From:	Michael Tokarev
Subject:	[Stable-9.0.2 18/22] qcow2: Don't open data_file with BDRV_O_NO_IO
Date:	Fri, 5 Jul 2024 00:00:48 +0300

From: Kevin Wolf <kwolf@redhat.com>

One use case for 'qemu-img info' is verifying that untrusted images
don't reference an unwanted external file, be it as a backing file or an
external data file. To make sure that calling 'qemu-img info' can't
already have undesired side effects with a malicious image, just don't
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
I/O, we don't need to have it open.

This changes the output of iotests case 061, which used 'qemu-img info'
to show that opening an image with an invalid data file fails. After
this patch, it succeeds. Replace this part of the test with a qemu-io
call, but keep the final 'qemu-img info' to show that the invalid data
file is correctly displayed in the output.

Fixes: CVE-2024-4467
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit bd385a5298d7062668e804d73944d52aec9549f1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/qcow2.c b/block/qcow2.c
index 956128b409..4c78665bcb 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int 
flags,
         goto fail;
     }
 
-    if (open_data_file) {
+    if (open_data_file && (flags & BDRV_O_NO_IO)) {
+        /*
+         * Don't open the data file for 'qemu-img info' so that it can be used
+         * to verify that an untrusted qcow2 image doesn't refer to external
+         * files.
+         *
+         * Note: This still makes has_data_file() return true.
+         */
+        if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
+            s->data_file = NULL;
+        } else {
+            s->data_file = bs->file;
+        }
+        qdict_extract_subqdict(options, NULL, "data-file.");
+        qdict_del(options, "data-file");
+    } else if (open_data_file) {
         /* Open external data file */
         bdrv_graph_co_rdunlock();
         s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs,
diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
index 53c7d428e3..b71ac097d1 100755
--- a/tests/qemu-iotests/061
+++ b/tests/qemu-iotests/061
@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
 echo
 _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
 $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
-_img_info --format-specific
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
+$QEMU_IO -c "open -o 
data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | 
_filter_qemu_io
 TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info 
--format-specific --image-opts
 
 echo
 $QEMU_IMG amend -o "data_file=" --image-opts 
"data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
-_img_info --format-specific
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
+$QEMU_IO -c "open -o 
data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | 
_filter_qemu_io
 TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info 
--format-specific --image-opts
 
 echo
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
index 139fc68177..24c33add7c 100644
--- a/tests/qemu-iotests/061.out
+++ b/tests/qemu-iotests/061.out
@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
 qemu-img: data-file can only be set for images that use an external data file
 
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
data_file=TEST_DIR/t.IMGFMT.data
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such 
file or directory
+qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such 
file or directory
+read 4096/4096 bytes at offset 0
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 image: TEST_DIR/t.IMGFMT
 file format: IMGFMT
 virtual size: 64 MiB (67108864 bytes)
@@ -560,7 +562,9 @@ Format specific information:
     corrupt: false
     extended l2: false
 
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this 
image
+qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this 
image
+read 4096/4096 bytes at offset 0
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 image: TEST_DIR/t.IMGFMT
 file format: IMGFMT
 virtual size: 64 MiB (67108864 bytes)
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-9.0.2 05/22] hw/audio/virtio-snd: Always use little endian audio format, (continued)
- [Stable-9.0.2 05/22] hw/audio/virtio-snd: Always use little endian audio format, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 08/22] linux-user: Make TARGET_NR_setgroups affect only the current thread, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 09/22] target/sparc: use signed denominator in sdiv helper, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 10/22] tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 12/22] tests: Update our CI to use CentOS Stream 9 instead of 8, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 11/22] migration: Fix file migration with fdset, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 14/22] target/arm: Fix VCMLA Dd, Dn, Dm[idx], Michael Tokarev, 2024/07/04
- [Stable-9.0.2 13/22] i386/cpu: fixup number of addressable IDs for processor cores in the physical package, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 15/22] target/arm: Fix FJCVTZS vs flush-to-zero, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 19/22] iotests/244: Don't store data-file with protocol in image, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 18/22] qcow2: Don't open data_file with BDRV_O_NO_IO, Michael Tokarev <=
- [Stable-9.0.2 16/22] hw/core: allow parameter=1 for SMP topology on any machine, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 17/22] tests: add testing of parameter=1 for SMP topology, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 20/22] iotests/270: Don't store data-file with json: prefix in image, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 21/22] block: Parse filenames only when explicitly requested, Michael Tokarev, 2024/07/04
- [Stable-9.0.2 22/22] tcg/optimize: Fix TCG_COND_TST* simplification of setcond2, Michael Tokarev, 2024/07/04

Prev by Date: [Stable-9.0.2 19/22] iotests/244: Don't store data-file with protocol in image
Next by Date: [Stable-9.0.2 16/22] hw/core: allow parameter=1 for SMP topology on any machine
Previous by thread: [Stable-9.0.2 19/22] iotests/244: Don't store data-file with protocol in image
Next by thread: [Stable-9.0.2 16/22] hw/core: allow parameter=1 for SMP topology on any machine
Index(es):
- Date
- Thread