Re: [Qemu-devel] Re: qemu unchecked block read/write vulnerability

["Daniel P. Berrange" <berrange@redhat.com>]

On Tue, Feb 19, 2008 at 04:39:07PM +0000, Ian Jackson wrote:
Content-Description: message body text
> I was doing some merging of qemu and I noticed that the block driver
> backends don't check the guest's read/write attempts against the
> nominal size of the block device.
> 
> I haven't checked all of the backends but I have verified the bug with
> block-cow.c, which I have in my test induced to set a bitmap bit at an
> address which is not actually part of the bitmap.  In my tests I used
> as my guest a Linux kernel which I'd specially modifed to allow me to
> access out-of-range blocks.
> 
> I think the fix is probably to insert a couple of range checks in the
> generic block dispatch layer and I attach a patch to achieve this.

FYI, this patch appears to cause massive unrecoverable data corruption for
qcow2 format disks. It looks like the sector range check is being applied
to the total sector count of the actual qcow datafile on disk, rather
than the total sector count of the logical disk. I suspect the same may
occur with other non-raw disk formats, so be wary....

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|