From: Kevin Wolf <kwolf@redhat.com>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Subject: [Qemu-devel] Re: [PATCH] Make default invocation of block drivers safer (v3)
Date: Thu, 15 Jul 2010 15:01:14 +0200 [thread overview]
Message-ID: <4C3F069A.8090609@redhat.com> (raw)
In-Reply-To: <1279198257-23681-1-git-send-email-aliguori@us.ibm.com>
Am 15.07.2010 14:50, schrieb Anthony Liguori:
> CVE-2008-2004 described a vulnerability in QEMU whereas a malicious user could
> trick the block probing code into accessing arbitrary files in a guest. To
> mitigate this, we added an explicit format parameter to -drive which disabling
> block probing.
>
> Fast forward to today, and the vast majority of users do not use this parameter.
> libvirt does not use this by default nor does virt-manager.
>
> Most users want block probing so we should try to make it safer.
>
> This patch adds some logic to the raw device which attempts to detect a write
> operation to the beginning of a raw device. If the first 4 bytes happen to
> match an image file that has a backing file that we support, it scrubs the
> signature to all zeros. If a user specifies an explicit format parameter, this
> behavior is disabled.
>
> I contend that while a legitimate guest could write such a signature to the
> header, we would behave incorrectly anyway upon the next invocation of QEMU.
> This simply changes the incorrect behavior to not involve a security
> vulnerability.
>
> I've tested this pretty extensively both in the positive and negative case. I'm
> not 100% confident in the block layer's ability to deal with zero sized writes
> particularly with respect to the aio functions so some additional eyes would be
> appreciated.
>
> Even in the case of a single sector write, we have to make sure to invoked the
> completion from a bottom half so just removing the zero sized write is not an
> option.
>
> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Acked-by: Kevin Wolf <kwolf@redhat.com>
next prev parent reply other threads:[~2010-07-15 13:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-15 12:50 [Qemu-devel] [PATCH] Make default invocation of block drivers safer (v3) Anthony Liguori
2010-07-15 13:01 ` Kevin Wolf [this message]
2010-07-27 17:01 ` Anthony PERARD
2010-07-27 17:16 ` Anthony Liguori
2010-07-27 17:43 ` Anthony PERARD
2010-07-27 18:25 ` Anthony Liguori
2010-09-03 8:42 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C3F069A.8090609@redhat.com \
--to=kwolf@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).