From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39325)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XHCEz-0006F8-7F
	for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:35:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XHCEt-0006zR-20
	for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:35:53 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41597)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XHCEs-0006z8-RE
	for qemu-devel@nongnu.org; Tue, 12 Aug 2014 09:35:46 -0400
Date: Tue, 12 Aug 2014 09:35:42 -0400
From: Jeff Cody <jcody@redhat.com>
Message-ID: <20140812133542.GA6876@localhost.localdomain>
References: <1406900401-19550-1-git-send-email-lkurusa@redhat.com>
	<20140812132034.GM20490@stefanha-thinkpad.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140812132034.GM20490@stefanha-thinkpad.redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size
 images
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Levente Kurusa <lkurusa@redhat.com>, Fam Zheng <famz@redhat.com>, Stefan Weil <sw@weilnetz.de>, Andrew Jones <drjones@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>

On Tue, Aug 12, 2014 at 02:20:34PM +0100, Stefan Hajnoczi wrote:
> On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote:
> > Fixed size VPC images do not have a footer, hence the current probe
> > function will fail and QEMU will fall back to the raw_bsd driver, which is
> > not the correct behaviour. The specification of the format says that fixed
> > size images have a footer as the last 512 bytes of the file. The footer is
> > exactly the same as the header would be in the case of dynamically growing
> > images.
> > 
> > For this, we need to read the last 512 bytes of the image, however the
> > current mechanics predominantly read the first 2048 bytes and pass that
> > as a buffer to the probe functions. Solve this by passing the
> > BlockDriverState to the probe functions, hence giving them a chance to read
> > the extra bytes they might need.
> 
> I hesitate to add patches that extend image format probing.  For the
> past few years we have always recommended that image files should not be
> probed.
> 
> Image probing is prone to security issues because a malicious guest can
> modify a raw or vpc image by putting another image format header at
> sector 0.  The next time QEMU opens the image it will detect a different
> format.  One evil trick is to refer to a file on the host file system as
> the backing file, now you can read any file that the QEMU process has
> access to.
> 
> Probing also complicates live migration.  The source host still has the
> image file open and may write to it.  The destination host shouldn't
> even read from the image file before handover to avoid file cache
> coherency issues.
> 
> Probing is broken.  It shouldn't be used.  We shouldn't extend it
> (especially by adding more I/Os).
>

For 2.2, maybe we should limit probing to only certain operations (e.g.
qemu-img info) - or perhaps just remove the capability altogether, or
at least start phasing it out with a warning message that automatic
format detection is deprecated and may be unsafe.

Jeff