From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44583) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XtJLG-0000lr-6w for qemu-devel@nongnu.org; Tue, 25 Nov 2014 11:52:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XtJL7-0004ik-41 for qemu-devel@nongnu.org; Tue, 25 Nov 2014 11:51:54 -0500 Received: from mail-wi0-x22d.google.com ([2a00:1450:400c:c05::22d]:61359) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XtJL6-0004if-PD for qemu-devel@nongnu.org; Tue, 25 Nov 2014 11:51:45 -0500 Received: by mail-wi0-f173.google.com with SMTP id r20so9748914wiv.12 for ; Tue, 25 Nov 2014 08:51:44 -0800 (PST) Date: Tue, 25 Nov 2014 16:51:34 +0000 From: Stefan Hajnoczi Message-ID: <20141125165134.GC22421@stefanha-thinkpad.redhat.com> References: <1416497234-29880-1-git-send-email-kwolf@redhat.com> <1416497234-29880-8-git-send-email-kwolf@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kfjH4zxOES6UT95V" Content-Disposition: inline In-Reply-To: <1416497234-29880-8-git-send-email-kwolf@redhat.com> Subject: Re: [Qemu-devel] [PATCH v3 7/9] raw: Prohibit dangerous writes for probed images List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf Cc: jcody@redhat.com, mreitz@redhat.com, qemu-devel@nongnu.org, stefanha@redhat.com, armbru@redhat.com --kfjH4zxOES6UT95V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 20, 2014 at 04:27:12PM +0100, Kevin Wolf wrote: > If the user neglects to specify the image format, QEMU probes the > image to guess it automatically, for convenience. >=20 > Relying on format probing is insecure for raw images (CVE-2008-2004). > If the guest writes a suitable header to the device, the next probe > will recognize a format chosen by the guest. A malicious guest can > abuse this to gain access to host files, e.g. by crafting a QCOW2 > header with backing file /etc/shadow. >=20 > Commit 1e72d3b (April 2008) provided -drive parameter format to let > users disable probing. Commit f965509 (March 2009) extended QCOW2 to > optionally store the backing file format, to let users disable backing > file probing. QED has had a flag to suppress probing since the > beginning (2010), set whenever a raw backing file is assigned. >=20 > All of these additions that allow to avoid format probing have to be > specified explicitly. The default still allows the attack. >=20 > In order to fix this, commit 79368c8 (July 2010) put probed raw images > in a restricted mode, in which they wouldn't be able to overwrite the > first few bytes of the image so that they would identify as a different > image. If a write to the first sector would write one of the signatures > of another driver, qemu would instead zero out the first four bytes. > This patch was later reverted in commit 8b33d9e (September 2010) because > it didn't get the handling of unaligned qiov members right. >=20 > Today's block layer that is based on coroutines and has qiov utility > functions makes it much easier to get this functionality right, so this > patch implements it. >=20 > The other differences of this patch to the old one are that it doesn't > silently write something different than the guest requested by zeroing > out some bytes (it fails the request instead) and that it doesn't > maintain a list of signatures in the raw driver (it calls the usual > probe function instead). >=20 > Note that this change doesn't introduce new breakage for false positive > cases where the guest legitimately writes data into the first sector > that matches the signatures of an image format (e.g. for nested virt): > These cases were broken before, only the failure mode changes from > corruption after the next restart (when the wrong format is probed) to > failing the problematic write request. >=20 > Also note that like in the original patch, the restrictions only apply > if the image format has been guessed by probing. Explicitly specifying a > format allows guests to write anything they like. >=20 > Signed-off-by: Kevin Wolf > Reviewed-by: Eric Blake > Reviewed-by: Max Reitz > --- > block.c | 5 ++-- > block/raw_bsd.c | 64 +++++++++++++++++++++++++++++++++++++++++= +++++- > include/block/block_int.h | 3 +++ > 3 files changed, 69 insertions(+), 3 deletions(-) Reviewed-by: Stefan Hajnoczi --kfjH4zxOES6UT95V Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUdLOWAAoJEJykq7OBq3PIAyYH/RopLCS+RLMz6YxMnsyRTAu3 /4d+UmoF3F9dNP0skWcwNyzDd2OEUolsOVek0iV4dWBtwaP9myAAQVAsc3r+4lVr VIyDyyHOaUvTRWNNkixWNWjSoEQR9+lievuP7nQddYQI0BbKr7NrMo4OpWpiACP3 zy15udxbZ7G3XBBE2abtWaav7N130rlbDBU/tRKaXX5WIeoDbqmL4ecd5QtypASi xqlvClyjKolzjvWeo5davX24wOtfSsCNvhXHTZjmN17Z+bHF5mNQ/Uztr6UutLdU ndOH6EqaEvtvHZ3dU3ilYng98GckewZCqsthFS9YeIVKdOQGLp7H/S2kG68cOzM= =Yh8S -----END PGP SIGNATURE----- --kfjH4zxOES6UT95V--