From mboxrd@z Thu Jan  1 00:00:00 1970
From: Markus Armbruster <armbru@redhat.com>
Subject: Re: [PATCH] QEMU "drive_init()" Disk Format Security
	Bypass
Date: Fri, 30 May 2008 11:00:02 +0200
Message-ID: <8763sw9nfx.fsf@pike.pond.sub.org>
References: <200805081800.24064.turkay.eren@gmail.com>
	<18467.12572.126574.502777@mariner.uk.xensource.com>
	<20080508171255.GA31908@redhat.com>
	<18467.13858.203078.97403@mariner.uk.xensource.com>
	<20080508172304.GB31908@redhat.com>
	<18467.14318.921215.768838@mariner.uk.xensource.com>
	<20080508173023.GC31908@redhat.com>
	<18468.29633.937355.26121@mariner.uk.xensource.com>
	<18473.52451.967004.377867@mariner.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <18473.52451.967004.377867@mariner.uk.xensource.com> (Ian
	Jackson's message of "Tue\, 13 May 2008 18\:16\:19 +0100")
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Eren =?utf-8?Q?T=C3=BCrkay?= <turkay.eren@gmail.com>, xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

I'm looking at xen-unstable cset 17606 and 17646.  If I understand
your patches correctly, you attack the security problem in two places:

(1) make format probing never return raw, and

(2) provide means to specify the format explicitly, bypassing probing.

You put (2) in xenstore_parse_domain_config().  I can see how that
works for block devices defined in the domain configuration.  But what
about USB disks?  I created a guest with the following settings:

    usb = 1
    usbdevice = "disk:/var/lib/xen/images/usbkey.img"

This duly started qemu with arguments

    -usb -usbdevice disk:/var/lib/xen/images/usbkey.img

The -usbdevice argument is ultimately processed by usb_device_add(),
which calls usb_msd_init() to do the real work.  I think we get (1),
but not (2) there, i.e. your change breaks raw format USB disks.

Monitor command "usb_add" also runs usb_device_add(), so it should
have the same problem.

I suspect monitor command "change" has the same problem, too.