Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it

[Kevin Wolf <kwolf@redhat.com>]

Am 05.11.2014 um 09:38 hat Max Reitz geschrieben:
> My conclusion: Don't ditch probing. It increases entropy, why would
> you ditch probing? Just combine it with the extension and if both
> don't seem to match, that's an error.

I actually kind of like this (in addition to preventing bad writes). If
we do have file name (or other metadata-specific) information that gives
us a clue, use it to double check the guess. If we don't, rely on
probing like we do today.

.qcow2 should never contain anything but qcow2, .iso should always be
raw. If we don't have a recognised extension, anything is okay. We need
to decide what to do with ambiguous extensions like .img or .vhd.

This again wouldn't be a perfect solution that catches all cases, but
it improves the situation and shouldn't cause too many compatibility
issues.

> So, for fixing (b): Just use the extensions as a safeguard and issue
> a warning for now. We can discuss about making it an error later.

Warnings are useless. They warn too late. It needs to be an error, and I
think when we don't require the filename check, it's reasonable enough
to do it from the start.

> And for fixing (c): As you pointed out, if guests wrote some
> probe-matching pattern in the past, it would break qemu (which is
> what we're trying to fix). Since noone ever said that some guest did
> that by accident, I think we can safely assume that prohibiting such
> writes will not hurt anyone in the future either; at least there are
> no compatibility issues

Good point, thanks for pointing it out.

Kevin