From: Levente Kurusa <lkurusa@redhat.com>
To: Jeff Cody <jcody@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Stefan Weil <sw@weilnetz.de>,
Andrew Jones <drjones@redhat.com>, Fam Zheng <famz@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images
Date: Thu, 14 Aug 2014 10:42:27 -0400 (EDT) [thread overview]
Message-ID: <1643597569.19303034.1408027347194.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <20140812133542.GA6876@localhost.localdomain>
On Tuesday, 12 August, 2014 3:35:42 PM, Jeff Cody wrote:
> On Tue, Aug 12, 2014 at 02:20:34PM +0100, Stefan Hajnoczi wrote:
> > On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote:
> > > Fixed size VPC images do not have a footer, hence the current probe
> > > function will fail and QEMU will fall back to the raw_bsd driver, which
> > > is
> > > not the correct behaviour. The specification of the format says that
> > > fixed
> > > size images have a footer as the last 512 bytes of the file. The footer
> > > is
> > > exactly the same as the header would be in the case of dynamically
> > > growing
> > > images.
> > >
> > > For this, we need to read the last 512 bytes of the image, however the
> > > current mechanics predominantly read the first 2048 bytes and pass that
> > > as a buffer to the probe functions. Solve this by passing the
> > > BlockDriverState to the probe functions, hence giving them a chance to
> > > read
> > > the extra bytes they might need.
> >
> > I hesitate to add patches that extend image format probing. For the
> > past few years we have always recommended that image files should not be
> > probed.
> >
> > Image probing is prone to security issues because a malicious guest can
> > modify a raw or vpc image by putting another image format header at
> > sector 0. The next time QEMU opens the image it will detect a different
> > format. One evil trick is to refer to a file on the host file system as
> > the backing file, now you can read any file that the QEMU process has
> > access to.
Yea, good point. The current state of probing is actually quite bad,
just take a look at dmg_probe in block/dmg.c :-(
> >
> > Probing also complicates live migration. The source host still has the
> > image file open and may write to it. The destination host shouldn't
> > even read from the image file before handover to avoid file cache
> > coherency issues.
> >
> > Probing is broken. It shouldn't be used. We shouldn't extend it
> > (especially by adding more I/Os).
Even though, my series would have only added one extra I/O in the case
of failing VPC images, I have to admit you are right.
>
> For 2.2, maybe we should limit probing to only certain operations (e.g.
> qemu-img info) - or perhaps just remove the capability altogether, or
> at least start phasing it out with a warning message that automatic
> format detection is deprecated and may be unsafe.
>
Considering the fact that most open functions already check the magic
numbers, and they do a lot better/safer job at it, we could just swap
the probe functions with the open ones and just insert an fprintf
when format is not specified doing what Jeff suggested.
Any objections to this?
(This would also solve the VPC-fixed-size bug, since vpc_open already
checks the footer if the header is not found)
Thanks,
Levente Kurusa
next prev parent reply other threads:[~2014-08-14 14:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-01 13:39 [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images Levente Kurusa
2014-08-01 13:39 ` [Qemu-devel] [PATCH 1/3] block: format: pass down the current state to the format's probe function Levente Kurusa
2014-08-01 13:40 ` [Qemu-devel] [PATCH 2/3] block: vpc: introduce vpc_check_signature function Levente Kurusa
2014-08-01 13:40 ` [Qemu-devel] [PATCH 3/3] block: vpc: handle fixed size images in probe function Levente Kurusa
2014-08-12 13:20 ` [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images Stefan Hajnoczi
2014-08-12 13:35 ` Jeff Cody
2014-08-14 14:42 ` Levente Kurusa [this message]
2014-08-14 14:57 ` Jeff Cody
2014-08-15 10:55 ` Kevin Wolf
2014-08-15 11:21 ` Markus Armbruster
2014-08-15 12:28 ` Jeff Cody
2014-08-15 12:59 ` Markus Armbruster
2014-08-15 13:13 ` Eric Blake
2014-08-15 13:25 ` Jeff Cody
2014-08-15 12:14 ` Jeff Cody
2014-08-15 13:19 ` Eric Blake
2014-08-15 13:37 ` Kevin Wolf
2014-08-15 13:52 ` Jeff Cody
2014-08-15 14:00 ` Eric Blake
2014-08-15 14:10 ` Jeff Cody
2014-08-15 14:22 ` Eric Blake
2014-08-15 14:51 ` Jeff Cody
2014-08-15 14:42 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1643597569.19303034.1408027347194.JavaMail.zimbra@redhat.com \
--to=lkurusa@redhat.com \
--cc=drjones@redhat.com \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).