From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59215) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xjlxy-0005tl-BJ for qemu-devel@nongnu.org; Thu, 30 Oct 2014 05:24:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xjlxr-0003ED-Dt for qemu-devel@nongnu.org; Thu, 30 Oct 2014 05:24:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56000) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xjlxr-0003E8-6H for qemu-devel@nongnu.org; Thu, 30 Oct 2014 05:24:19 -0400 Date: Thu, 30 Oct 2014 09:24:15 +0000 From: Stefan Hajnoczi Message-ID: <20141030092415.GA30746@stefanha-thinkpad.redhat.com> References: <1414512220-19058-1-git-send-email-armbru@redhat.com> <1414512220-19058-3-git-send-email-armbru@redhat.com> <20141029101242.GA3719@noname.str.redhat.com> <877fzjc76v.fsf@blackfin.pond.sub.org> <20141029153432.GI19774@stefanha-thinkpad.redhat.com> <877fzi53jl.fsf@blackfin.pond.sub.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <877fzi53jl.fsf@blackfin.pond.sub.org> Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Markus Armbruster Cc: Kevin Wolf , Stefan Hajnoczi , jcody@redhat.com, qemu-devel@nongnu.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote: > Stefan Hajnoczi writes: >=20 > > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote: > >> Kevin Wolf writes: > >>=20 > >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben: > >> > Instead, let me try once more to sell my old proposal [1] from the > >> > thread you mentioned: > >> > > >> >> What if we let the raw driver know that it was probed and then it > >> >> enables a check that returns -EIO for any write on the first 2k if = that > >> >> write would make the image look like a different format? > >> > > >> > Attacks the problem where it arises instead of trying to detect the > >> > outcome of it, and works in whatever way it is nested in the BDS gra= ph > >> > and whatever way is used to address the image file. > > > > I think this is too clever. It's another thing to debug if a guest > > starts hitting EIO. > > > > My opinion on probing is: it's ugly but let's leave it for QEMU 3.0 at > > which point we implement Markus solution with exit(1). >=20 > I regard my patch as a necessary preliminary step for that. Warn now, > change behavior a couple of releases later. When exactly is debatable. >=20 > > In the meantime the CVE has been known for a long time so vulnerable > > users (VM hosting, cloud, etc) have the information they need. Many are > > automatically protected by libvirt. >=20 > The warning hopefully helps libvirt developers with keeping libvirt > users fully protected. I'm happy with this approach (haven't reviewed the patches in detail yet). Stefan --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUUgO/AAoJEJykq7OBq3PIRQkIAJWTUzbEo8uCxI4hDpgeMP1d m2T00DLuE0+q25U35C6GY4ZF8ThegqUz6/bOlCWO66EYEq/vcQiA0B8BEtRHqWJ/ SE9qh0SeDNFDlXE3QluhUooHt7VIphklkjsLaulaph8f+RB9lpb1F5htb6CTS2KW kZYi+070BP2HFVwATt9OXqTHiLo9Skq7w5P6yuKcr84mI87DuPTSBzPNcNeUsK4X KF/HGKGOhBkSKivzX44tX0U1G8dAkI3y3ss8csi9uMnZx/P9r0ZNl4rEmPR47ZwN exB6HdBieC3A+3tpOuQBO9TPrIkkiMTrSbk8tTkBTEgMeOkEfPGxDTDRbei0FXw= =rYiF -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--