From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56373) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XlfzW-0005PP-R1 for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:26:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XlfzP-0003V6-OE for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:25:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44253) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XlfzP-0003Uz-Gw for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:25:47 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sA4FPkFx022930 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 4 Nov 2014 10:25:46 -0500 Date: Tue, 4 Nov 2014 15:25:44 +0000 From: Stefan Hajnoczi Message-ID: <20141104152544.GA28330@stefanha-thinkpad.redhat.com> References: <1414512220-19058-3-git-send-email-armbru@redhat.com> <5452001E.9070907@redhat.com> <20141030092722.GB30746@stefanha-thinkpad.redhat.com> <20141030093635.GB9097@noname.str.redhat.com> <20141031112423.GE10332@stefanha-thinkpad.redhat.com> <20141031115639.GD4496@noname.str.redhat.com> <878ujs1x6y.fsf@blackfin.pond.sub.org> <20141103102510.GB4437@noname.str.redhat.com> <20141103150533.GC4609@stefanha-thinkpad.redhat.com> <20141104101133.GB4119@noname.redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <20141104101133.GB4119@noname.redhat.com> Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf Cc: jcody@redhat.com, Max Reitz , Markus Armbruster , qemu-devel@nongnu.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote: > Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben: > > The argument that there might not be a traditional filename doesn't make > > sense to me. When there is no filename the command-line is already > > sufficiently complex and usage is fancy enough that probing adds no > > convenience, the user can just specify the format. >=20 > -hda nbd://localhost > -drive file=3Dnbd://localhost,format=3Draw >=20 > Almost double the length, and I don't see anything fancy in the first > line. >=20 > > Anyway, does this sound reasonable: > >=20 > > In QEMU 3.0, require the format=3D option for -drive. Keep probing the > > way it is for non-drive options because they are used for convenience by > > local users. >=20 > And being hacked while using -hda is better in which way? Markus is proposing that we look at the filename extension. In that case QEMU cannot be tricked by the contents of a raw image. That makes -hda perfectly safe although there are cases where QEMU doesn't know what to do and requires format=3D. I do worry that changing QEMU's probing behavior drastically can lead to consistencies where libvirt does its own probing :(. Haven't thought through the bug scenarios but that could be a security problem in itself. Stefan --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUWO/4AAoJEJykq7OBq3PIpE4IAJLxKvDoySA+NTRBMUPO2B2i Yif4JpI86GAd1o51dZI0hxiTKqYSA70IY8huTVnBSClStREjSgEDtrrD/2tZBdqK D1y9DdbPxqHLyCZUIDmspwqN47/U++eNNwsg9ZaUrI9T6aBc2WVOsLJkm7svkJ4x FW2keszsHYjzW3c83FsMn852sFxJLIbx+VtGtWinQZItQC264YDdMiPdPKzbzxWO WbEcm0tCiJmze86DW8I1Ow5dluSltxXgbLHvarxb6Lero9tDNIg8CC/0vBWBA7Fq HDX0FUVLEaYOhqHTGbPwri3Aa5oGVx48lFkplsqsb7XUSrLavtY9172WU2yBzas= =HQPL -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY--