From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: jcody@redhat.com, mreitz@redhat.com, qemu-devel@nongnu.org,
stefanha@redhat.com, armbru@redhat.com
Subject: Re: [Qemu-devel] [PATCH v3 7/9] raw: Prohibit dangerous writes for probed images
Date: Fri, 21 Nov 2014 10:26:57 +0000 [thread overview]
Message-ID: <20141121102656.GF3165@work-vm> (raw)
In-Reply-To: <20141121101543.GB3956@noname.redhat.com>
* Kevin Wolf (kwolf@redhat.com) wrote:
> Am 20.11.2014 um 21:08 hat Dr. David Alan Gilbert geschrieben:
> > * Kevin Wolf (kwolf@redhat.com) wrote:
> >
> >
> > > diff --git a/block/raw_bsd.c b/block/raw_bsd.c
> > > index 401b967..2ce5409 100644
> > > --- a/block/raw_bsd.c
> > > +++ b/block/raw_bsd.c
> > > @@ -58,8 +58,58 @@ static int coroutine_fn raw_co_readv(BlockDriverState *bs, int64_t sector_num,
> > > static int coroutine_fn raw_co_writev(BlockDriverState *bs, int64_t sector_num,
> > > int nb_sectors, QEMUIOVector *qiov)
> > > {
> > > + void *buf = NULL;
> > > + BlockDriver *drv;
> > > + QEMUIOVector local_qiov;
> > > + int ret;
> > > +
> > > + if (bs->probed && sector_num == 0) {
> > > + /* As long as these conditions are true, we can't get partial writes to
> > > + * the probe buffer and can just directly check the request. */
> > > + QEMU_BUILD_BUG_ON(BLOCK_PROBE_BUF_SIZE != 512);
> > > + QEMU_BUILD_BUG_ON(BDRV_SECTOR_SIZE != 512);
> > > +
> > > + if (nb_sectors == 0) {
> > > + /* qemu_iovec_to_buf() would fail, but we want to return success
> > > + * instead of -EINVAL in this case. */
> > > + return 0;
> > > + }
> > > +
> > > + buf = qemu_try_blockalign(bs->file, 512);
> > > + if (!buf) {
> > > + ret = -ENOMEM;
> > > + goto fail;
> > > + }
> > > +
> > > + ret = qemu_iovec_to_buf(qiov, 0, buf, 512);
> > > + if (ret != 512) {
> > > + ret = -EINVAL;
> > > + goto fail;
> > > + }
> > > +
> > > + drv = bdrv_probe_all(buf, 512, NULL);
> > > + if (drv != bs->drv) {
> > > + ret = -EPERM;
> > > + goto fail;
> > > + }
> >
> > Two things about this worry me:
> > 1) It allows a running guest to prod at the probing code potentially quite
> > hard; if there is anything nasty that can be done during probing it would
> > potentially make it easier for a guest to find it.
>
> The probing functions are trivial. You can audit them in no time even
> with no previous block layer experience. They just do a few tests on the
> passed buffer.
Hmm, OK.
> > 2) We don't log anything when this failure happens so if someone hits
> > this by accident for some reason it'll confuse them no end. Could we add
> > a (1 time?) error_report/printf just so that there's something to work with ?
>
> We already log a warning on bdrv_open(). Don't you think that should be
> enough?
Imagine a place that's got lots of QEMUs running already, they'll install
the QEMU that has this fix in it and carry on; they won't look at their logs.
Then if they hit a problem with a write failure they'll get confused; the logs
in bdrv_open just tell them they should be doing something safely, they don't
tell them they've actually hit a case fo something trying to do the write.
Dave
> Kevin
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2014-11-21 10:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-20 15:27 [Qemu-devel] [PATCH v3 0/9] raw: Prohibit dangerous writes for probed images Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 1/9] qemu-io: Allow explicitly specifying format Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 2/9] qemu-iotests: Use qemu-io -f $IMGFMT Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 3/9] qemu-iotests: Add qemu-io format option in Python tests Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 4/9] qtests: Specify image format explicitly Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 5/9] block: Factor bdrv_probe_all() out of find_image_format() Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 6/9] block: Read only one sector for format probing Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 7/9] raw: Prohibit dangerous writes for probed images Kevin Wolf
2014-11-20 20:08 ` Dr. David Alan Gilbert
2014-11-21 10:15 ` Kevin Wolf
2014-11-21 10:26 ` Dr. David Alan Gilbert [this message]
2014-11-25 16:51 ` Stefan Hajnoczi
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 8/9] qemu-iotests: Fix stderr handling in common.qemu Kevin Wolf
2014-11-20 15:27 ` [Qemu-devel] [PATCH v3 9/9] qemu-iotests: Test writing non-raw image headers to raw image Kevin Wolf
2014-11-20 16:18 ` Max Reitz
2014-11-20 16:29 ` Kevin Wolf
2014-11-26 16:23 ` [Qemu-devel] [PATCH v3 0/9] raw: Prohibit dangerous writes for probed images Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141121102656.GF3165@work-vm \
--to=dgilbert@redhat.com \
--cc=armbru@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).