From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XkERo-0005G4-N1 for qemu-devel@nongnu.org; Fri, 31 Oct 2014 11:50:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xjp4H-0002YI-MV for qemu-devel@nongnu.org; Thu, 30 Oct 2014 08:43:21 -0400 Received: from mx1.redhat.com ([209.132.183.28]:40097) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xjp4H-0002Y4-FI for qemu-devel@nongnu.org; Thu, 30 Oct 2014 08:43:09 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9UCh7FW020863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Thu, 30 Oct 2014 08:43:08 -0400 Date: Thu, 30 Oct 2014 13:43:01 +0100 From: Kevin Wolf Message-ID: <20141030124301.GD9097@noname.str.redhat.com> References: <1414671976-5353-1-git-send-email-kwolf@redhat.com> <1414671976-5353-4-git-send-email-kwolf@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1414671976-5353-4-git-send-email-kwolf@redhat.com> Subject: Re: [Qemu-devel] [PATCH 3/4] raw: Prohibit dangerous writes for probed images List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: jcody@redhat.com, armbru@redhat.com, stefanha@redhat.com, mreitz@redhat.com Am 30.10.2014 um 13:26 hat Kevin Wolf geschrieben: > If the user neglects to specify the image format, QEMU probes the > image to guess it automatically, for convenience. > > Relying on format probing is insecure for raw images (CVE-2008-2004). > If the guest writes a suitable header to the device, the next probe > will recognize a format chosen by the guest. A malicious guest can > abuse this to gain access to host files, e.g. by crafting a QCOW2 > header with backing file /etc/shadow. > > Commit 1e72d3b (April 2008) provided -drive parameter format to let > users disable probing. Commit f965509 (March 2009) extended QCOW2 to > optionally store the backing file format, to let users disable backing > file probing. QED has had a flag to suppress probing since the > beginning (2010), set whenever a raw backing file is assigned. > > All of these additions that allow to avoid format probing have to be > specified explicitly. The default still allows the attack. > > In order to fix this, commit 79368c8 (July 2010) put probed raw images > in a restricted mode, in which they wouldn't be able to overwrite the > first few bytes of the image so that they would identify as a different > image. If a write to the first sector would write one of the signatures > of another driver, qemu would instead zero out the first four bytes. > This patch was later reverted in commit 8b33d9e (September 2010) because > it didn't get the handling of unaligned qiov members right. > > Today's block layer that is based on coroutines and has qiov utility > functions makes it much easier to get this functionality right, so this > patch implements it. > > The other differences of this patch to the old one are that it doesn't > silently write something different than the guest requested by zeroing > out some bytes (it fails the request instead) and that it doesn't > maintain a list of signatures in the raw driver (it calls the usual > probe function instead). > > Signed-off-by: Kevin Wolf I was a little too quick with sending this out, so I'll have to point out a bug myself, but the idea should be clear enough to have a discussion. > diff --git a/block/raw_bsd.c b/block/raw_bsd.c > index 401b967..80f3a50 100644 > --- a/block/raw_bsd.c > +++ b/block/raw_bsd.c > @@ -58,8 +58,52 @@ static int coroutine_fn raw_co_readv(BlockDriverState *bs, int64_t sector_num, > static int coroutine_fn raw_co_writev(BlockDriverState *bs, int64_t sector_num, > int nb_sectors, QEMUIOVector *qiov) > { > + void *buf = NULL; > + BlockDriver *drv; > + QEMUIOVector local_qiov; > + int ret; > + > + if (bs->probed && sector_num == 0) { > + /* As long as these conditions are true, we can't get partial writes to > + * the probe buffer and can just directly check the request. */ > + QEMU_BUILD_BUG_ON(BLOCK_PROBE_BUF_SIZE != 512); > + QEMU_BUILD_BUG_ON(BDRV_SECTOR_SIZE != 512); > + > + buf = g_try_malloc(512); Should be qemu_try_blockalign(). > + if (!buf) { > + ret = -ENOMEM; > + goto fail; > + } > + > + ret = qemu_iovec_to_buf(qiov, 0, buf, 512); > + if (ret != 512) { > + ret = -EINVAL; > + goto fail; > + } > + > + drv = bdrv_probe_all(buf, 512, NULL); > + if (drv != bs->drv) { > + ret = -EPERM; > + goto fail; > + } > + > + /* Use the checked buffer, a malicious guest might be overwriting its > + * original buffer in the background. */ > + qemu_iovec_init(&local_qiov, qiov->niov + 1); > + qemu_iovec_add(&local_qiov, buf, 512); > + qemu_iovec_concat(&local_qiov, qiov, 0, qiov->size - 512); And here the offset obviously needs to be 512 instead of 0. > + qiov = &local_qiov; > + } > + > BLKDBG_EVENT(bs->file, BLKDBG_WRITE_AIO); > - return bdrv_co_writev(bs->file, sector_num, nb_sectors, qiov); > + ret = bdrv_co_writev(bs->file, sector_num, nb_sectors, qiov); > + > +fail: > + if (qiov == &local_qiov) { > + qemu_iovec_destroy(&local_qiov); > + } > + g_free(buf); > + return ret; > } Kevin