From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: jcody@redhat.com, mreitz@redhat.com, qemu-devel@nongnu.org,
stefanha@redhat.com, armbru@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 7/9] raw: Prohibit dangerous writes for probed images
Date: Fri, 21 Nov 2014 10:26:57 +0000 [thread overview]
Message-ID: <20141121102656.GF3165@work-vm> (raw)
In-Reply-To: <20141121101543.GB3956@noname.redhat.com>
* Kevin Wolf (kwolf@redhat.com) wrote:
> Am 20.11.2014 um 21:08 hat Dr. David Alan Gilbert geschrieben:
> > * Kevin Wolf (kwolf@redhat.com) wrote:
> >
> >
> > > diff --git a/block/raw_bsd.c b/block/raw_bsd.c
> > > index 401b967..2ce5409 100644
> > > --- a/block/raw_bsd.c
> > > +++ b/block/raw_bsd.c
> > > @@ -58,8 +58,58 @@ static int coroutine_fn raw_co_readv(BlockDriverState *bs, int64_t sector_num,
> > > static int coroutine_fn raw_co_writev(BlockDriverState *bs, int64_t sector_num,
> > > int nb_sectors, QEMUIOVector *qiov)
> > > {
> > > + void *buf = NULL;
> > > + BlockDriver *drv;
> > > + QEMUIOVector local_qiov;
> > > + int ret;
> > > +
> > > + if (bs->probed && sector_num == 0) {
> > > + /* As long as these conditions are true, we can't get partial writes to
> > > + * the probe buffer and can just directly check the request. */
> > > + QEMU_BUILD_BUG_ON(BLOCK_PROBE_BUF_SIZE != 512);
> > > + QEMU_BUILD_BUG_ON(BDRV_SECTOR_SIZE != 512);
> > > +
> > > + if (nb_sectors == 0) {
> > > + /* qemu_iovec_to_buf() would fail, but we want to return success
> > > + * instead of -EINVAL in this case. */
> > > + return 0;
> > > + }
> > > +
> > > + buf = qemu_try_blockalign(bs->file, 512);
> > > + if (!buf) {
> > > + ret = -ENOMEM;
> > > + goto fail;
> > > + }
> > > +
> > > + ret = qemu_iovec_to_buf(qiov, 0, buf, 512);
> > > + if (ret != 512) {
> > > + ret = -EINVAL;
> > > + goto fail;
> > > + }
> > > +
> > > + drv = bdrv_probe_all(buf, 512, NULL);
> > > + if (drv != bs->drv) {
> > > + ret = -EPERM;
> > > + goto fail;
> > > + }
> >
> > Two things about this worry me:
> > 1) It allows a running guest to prod at the probing code potentially quite
> > hard; if there is anything nasty that can be done during probing it would
> > potentially make it easier for a guest to find it.
>
> The probing functions are trivial. You can audit them in no time even
> with no previous block layer experience. They just do a few tests on the
> passed buffer.
Hmm, OK.
> > 2) We don't log anything when this failure happens so if someone hits
> > this by accident for some reason it'll confuse them no end. Could we add
> > a (1 time?) error_report/printf just so that there's something to work with ?
>
> We already log a warning on bdrv_open(). Don't you think that should be
> enough?
Imagine a place that's got lots of QEMUs running already, they'll install
the QEMU that has this fix in it and carry on; they won't look at their logs.
Then if they hit a problem with a write failure they'll get confused; the logs
in bdrv_open just tell them they should be doing something safely, they don't
tell them they've actually hit a case fo something trying to do the write.
Dave
> Kevin
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2014-11-21 10:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-20 15:27 [Qemu-devel] [PATCH v3 0/9] raw: Prohibit dangerous writes for probed images Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 1/9] qemu-io: Allow explicitly specifying format Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 2/9] qemu-iotests: Use qemu-io -f $IMGFMT Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 3/9] qemu-iotests: Add qemu-io format option in Python tests Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 4/9] qtests: Specify image format explicitly Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 5/9] block: Factor bdrv_probe_all() out of find_image_format() Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 6/9] block: Read only one sector for format probing Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 7/9] raw: Prohibit dangerous writes for probed images Kevin Wolf
2014-11-20 20:08 ` Dr. David Alan Gilbert
2014-11-21 10:15 ` Kevin Wolf
2014-11-21 10:26 ` Dr. David Alan Gilbert [this message]
2014-11-25 16:51 ` Stefan Hajnoczi
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 8/9] qemu-iotests: Fix stderr handling in common.qemu Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 9/9] qemu-iotests: Test writing non-raw image headers to raw image Kevin Wolf
2014-11-20 16:18 ` Max Reitz
2014-11-20 16:29 ` Kevin Wolf
2014-11-26 16:23 ` [Qemu-devel] [PATCH v3 0/9] raw: Prohibit dangerous writes for probed images Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141121102656.GF3165@work-vm \
--to=dgilbert@redhat.com \
--cc=armbru@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.