Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images

[Stefan Hajnoczi <stefanha@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1798 bytes --]

On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote:
> Fixed size VPC images do not have a footer, hence the current probe
> function will fail and QEMU will fall back to the raw_bsd driver, which is
> not the correct behaviour. The specification of the format says that fixed
> size images have a footer as the last 512 bytes of the file. The footer is
> exactly the same as the header would be in the case of dynamically growing
> images.
> 
> For this, we need to read the last 512 bytes of the image, however the
> current mechanics predominantly read the first 2048 bytes and pass that
> as a buffer to the probe functions. Solve this by passing the
> BlockDriverState to the probe functions, hence giving them a chance to read
> the extra bytes they might need.

I hesitate to add patches that extend image format probing.  For the
past few years we have always recommended that image files should not be
probed.

Image probing is prone to security issues because a malicious guest can
modify a raw or vpc image by putting another image format header at
sector 0.  The next time QEMU opens the image it will detect a different
format.  One evil trick is to refer to a file on the host file system as
the backing file, now you can read any file that the QEMU process has
access to.

Probing also complicates live migration.  The source host still has the
image file open and may write to it.  The destination host shouldn't
even read from the image file before handover to avoid file cache
coherency issues.

Probing is broken.  It shouldn't be used.  We shouldn't extend it
(especially by adding more I/Os).

QEMU has the explicit -drive format= option.  qemu-img has -F and -O
options to specify the format.

Can you use format=vpc?

Stefan

[-- Attachment #2: Type: application/pgp-signature, Size: 473 bytes --]