From: Paolo Bonzini <pbonzini@redhat.com>
To: Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, stefanha@redhat.com, mreitz@redhat.com
Subject: Re: [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --misc format-probing=off
Date: Mon, 23 Mar 2015 18:15:01 +0100 [thread overview]
Message-ID: <55104A15.9030401@redhat.com> (raw)
In-Reply-To: <1427105099-12889-2-git-send-email-armbru@redhat.com>
On 23/03/2015 11:04, Markus Armbruster wrote:
> Probing is convenient, but probing untrusted raw images is insecure
> (CVE-2008-2004). To avoid it, users should always specify raw format
> explicitly. This isn't trivial, and even sophisticated users have
> gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239,
> plus more recent variations of the theme that didn't get CVEs because
> they were caught before they could hurt users).
>
> Disabling probing entirely is a (hamfisted) way to ensure you always
> specify the format.
>
> Instead of creating yet another simple option that doesn't work with
> -readconfig, create a "misc" option group and --misc command line
> option. We're out of space in vm_config_groups[], so double it.
>
> This will let us make existing miscellaneous non-QemeOpts options
> sugar for --misc, so they become available with -readconfig. Left for
> another day.
Which exactly? Could they fit into another scheme? (See how
-mem-prealloc was replaced and generalized by memory-backend-* objects).
For example, -win2k-install-hack should really be an IDE disk property
that can be set with -global, and many other options could be machine or
display options.
I don't think it's the right solution. Libvirt knows where to add a
format=raw option, and it can do it without waiting for QEMU to
implement this. Direct command-line users are not going to use the
option anyway.
So for today we're 1-1 on NACKs. :D
Paolo
next prev parent reply other threads:[~2015-03-23 17:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-23 10:04 [Qemu-devel] [PATCH for-2.3 0/1] block: New command line option --misc format-probing=off Markus Armbruster
2015-03-23 10:04 ` [Qemu-devel] [PATCH for-2.3 1/1] " Markus Armbruster
2015-03-23 13:02 ` Eric Blake
2015-03-23 17:15 ` Paolo Bonzini [this message]
2015-03-23 20:42 ` Markus Armbruster
2015-03-24 14:14 ` Eric Blake
2015-03-23 22:36 ` [Qemu-devel] [PATCH for-2.3 0/1] " Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55104A15.9030401@redhat.com \
--to=pbonzini@redhat.com \
--cc=armbru@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.