From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44777) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XkESh-0006TE-K7 for qemu-devel@nongnu.org; Fri, 31 Oct 2014 11:50:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xjohi-0002cs-Px for qemu-devel@nongnu.org; Thu, 30 Oct 2014 08:19:59 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55078) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xjohi-0002cl-IZ for qemu-devel@nongnu.org; Thu, 30 Oct 2014 08:19:50 -0400 From: Markus Armbruster References: <1414512220-19058-1-git-send-email-armbru@redhat.com> <1414512220-19058-3-git-send-email-armbru@redhat.com> <20141029101242.GA3719@noname.str.redhat.com> <877fzjc76v.fsf@blackfin.pond.sub.org> <20141029153432.GI19774@stefanha-thinkpad.redhat.com> <877fzi53jl.fsf@blackfin.pond.sub.org> <20141030092415.GA30746@stefanha-thinkpad.redhat.com> Date: Thu, 30 Oct 2014 13:19:45 +0100 In-Reply-To: <20141030092415.GA30746@stefanha-thinkpad.redhat.com> (Stefan Hajnoczi's message of "Thu, 30 Oct 2014 09:24:15 +0000") Message-ID: <8761f121i6.fsf@blackfin.pond.sub.org> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Kevin Wolf , Stefan Hajnoczi , jcody@redhat.com, qemu-devel@nongnu.org Stefan Hajnoczi writes: > On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote: >> Stefan Hajnoczi writes: >> >> > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote: >> >> Kevin Wolf writes: >> >> >> >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben: >> >> > Instead, let me try once more to sell my old proposal [1] from the >> >> > thread you mentioned: >> >> > >> >> >> What if we let the raw driver know that it was probed and then it >> >> >> enables a check that returns -EIO for any write on the first 2k if that >> >> >> write would make the image look like a different format? >> >> > >> >> > Attacks the problem where it arises instead of trying to detect the >> >> > outcome of it, and works in whatever way it is nested in the BDS graph >> >> > and whatever way is used to address the image file. >> > >> > I think this is too clever. It's another thing to debug if a guest >> > starts hitting EIO. >> > >> > My opinion on probing is: it's ugly but let's leave it for QEMU 3.0 at >> > which point we implement Markus solution with exit(1). >> >> I regard my patch as a necessary preliminary step for that. Warn now, >> change behavior a couple of releases later. When exactly is debatable. >> >> > In the meantime the CVE has been known for a long time so vulnerable >> > users (VM hosting, cloud, etc) have the information they need. Many are >> > automatically protected by libvirt. >> >> The warning hopefully helps libvirt developers with keeping libvirt >> users fully protected. > > I'm happy with this approach (haven't reviewed the patches in detail > yet). PATCH 1/2 is fully baked, but it's also trivial, and got plenty of review already. PATCH 2/2 isn't baked, yet, and I think I know what needs to be done. I guess your review cycles are better spent elsewhere.