From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51254)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlyZF-0006Uf-Qf
	for qemu-devel@nongnu.org; Wed, 05 Nov 2014 06:16:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlyZ9-0004py-IC
	for qemu-devel@nongnu.org; Wed, 05 Nov 2014 06:16:01 -0500
Received: from mx1.redhat.com ([209.132.183.28]:47515)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlyZ9-0004pu-9d
	for qemu-devel@nongnu.org; Wed, 05 Nov 2014 06:15:55 -0500
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sA5BFsda013307
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL)
	for <qemu-devel@nongnu.org>; Wed, 5 Nov 2014 06:15:54 -0500
Date: Wed, 5 Nov 2014 12:15:52 +0100
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20141105111552.GD6198@noname.str.redhat.com>
References: <87lhnq3iul.fsf@blackfin.pond.sub.org>
	<5459E210.2020008@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5459E210.2020008@redhat.com>
Subject: Re: [Qemu-devel] Image probing: how it can be insecure,
 and what we could do about it
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Max Reitz <mreitz@redhat.com>
Cc: Jeff Cody <jcody@redhat.com>, Markus Armbruster <armbru@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, qemu-devel@nongnu.org

Am 05.11.2014 um 09:38 hat Max Reitz geschrieben:
> My conclusion: Don't ditch probing. It increases entropy, why would
> you ditch probing? Just combine it with the extension and if both
> don't seem to match, that's an error.

I actually kind of like this (in addition to preventing bad writes). If
we do have file name (or other metadata-specific) information that gives
us a clue, use it to double check the guess. If we don't, rely on
probing like we do today.

.qcow2 should never contain anything but qcow2, .iso should always be
raw. If we don't have a recognised extension, anything is okay. We need
to decide what to do with ambiguous extensions like .img or .vhd.

This again wouldn't be a perfect solution that catches all cases, but
it improves the situation and shouldn't cause too many compatibility
issues.

> So, for fixing (b): Just use the extensions as a safeguard and issue
> a warning for now. We can discuss about making it an error later.

Warnings are useless. They warn too late. It needs to be an error, and I
think when we don't require the filename check, it's reasonable enough
to do it from the start.

> And for fixing (c): As you pointed out, if guests wrote some
> probe-matching pattern in the past, it would break qemu (which is
> what we're trying to fix). Since noone ever said that some guest did
> that by accident, I think we can safely assume that prohibiting such
> writes will not hurt anyone in the future either; at least there are
> no compatibility issues

Good point, thanks for pointing it out.

Kevin