From: Kevin Wolf <kwolf@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: Andrew Jones <drjones@redhat.com>, Fam Zheng <famz@redhat.com>,
Stefan Weil <sw@weilnetz.de>, Jeff Cody <jcody@redhat.com>,
Levente Kurusa <lkurusa@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images
Date: Fri, 15 Aug 2014 16:42:01 +0200 [thread overview]
Message-ID: <20140815144201.GG3770@noname.redhat.com> (raw)
In-Reply-To: <53EE1273.7020303@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]
Am 15.08.2014 um 16:00 hat Eric Blake geschrieben:
> On 08/15/2014 07:37 AM, Kevin Wolf wrote:
>
> > We can choose Markus's suggestion of using the file name to guess the
> > format. I don't really like it much, but it seems like a fair compromise
> > that doesn't hurt usability as much.
>
> In other words, if a user gives a file a "known suffix", then it is
> their own fault if they made that file raw and the guest then happened
> to convert the file to the format matching the suffix? Or would this
> start giving warnings if the known suffix doesn't match the probed contents?
You mean if the suffix doesn't match the explicit format=... option?
Because after the malicious guest has done its work, it would match
again.
> > If we don't want this, we can approach the problem from a different
> > angle: The problem is not probing per se, but that images probed as raw
> > can be written to by guests in a way that the next time they are probed
> > as something else.
> >
> > What if we let the raw driver know that it was probed and then it
> > enables a check that returns -EIO for any write on the first 2k if that
> > write would make the image look like a different format?
>
> Not entirely future-proof - as we add support for more formats over
> time, something that passes today could fail in the future. Worse, a
> guest could exploit an older qemu to write a header that a newer qemu
> would reject. But it does sound like an interesting approach
> (preventing the guest from doing something risky).
With qemu updates (or different configure options), it could happen that
the behaviour changes, yes. But if a malicious guest has to figure out
how to write a header today that will allow it to read some file on the
host after the user replaces the qemu binary, that makes it probably
hard to exploit anything in practice.
And seriously, if I wanted to use the backing file to read something on
the host, I wouldn't mess with the guest OS trying to rewrite its raw
image into qcow2 while not destroying itself (has anyone tried to write
a proof of concept for this? It doesn't look trivial if you have e.g. a
normal Linux installation that is getting hacked), but just offer the
user some (real) qcow2 for download that already has the desired backing
file path in it...
Kevin
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
prev parent reply other threads:[~2014-08-15 14:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-01 13:39 [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images Levente Kurusa
2014-08-01 13:39 ` [Qemu-devel] [PATCH 1/3] block: format: pass down the current state to the format's probe function Levente Kurusa
2014-08-01 13:40 ` [Qemu-devel] [PATCH 2/3] block: vpc: introduce vpc_check_signature function Levente Kurusa
2014-08-01 13:40 ` [Qemu-devel] [PATCH 3/3] block: vpc: handle fixed size images in probe function Levente Kurusa
2014-08-12 13:20 ` [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images Stefan Hajnoczi
2014-08-12 13:35 ` Jeff Cody
2014-08-14 14:42 ` Levente Kurusa
2014-08-14 14:57 ` Jeff Cody
2014-08-15 10:55 ` Kevin Wolf
2014-08-15 11:21 ` Markus Armbruster
2014-08-15 12:28 ` Jeff Cody
2014-08-15 12:59 ` Markus Armbruster
2014-08-15 13:13 ` Eric Blake
2014-08-15 13:25 ` Jeff Cody
2014-08-15 12:14 ` Jeff Cody
2014-08-15 13:19 ` Eric Blake
2014-08-15 13:37 ` Kevin Wolf
2014-08-15 13:52 ` Jeff Cody
2014-08-15 14:00 ` Eric Blake
2014-08-15 14:10 ` Jeff Cody
2014-08-15 14:22 ` Eric Blake
2014-08-15 14:51 ` Jeff Cody
2014-08-15 14:42 ` Kevin Wolf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140815144201.GG3770@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=drjones@redhat.com \
--cc=eblake@redhat.com \
--cc=famz@redhat.com \
--cc=jcody@redhat.com \
--cc=lkurusa@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).