qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Eric Blake <eblake@redhat.com>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
	Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>,
	"libvir-list@redhat.com" <libvir-list@redhat.com>,
	Jes Sorensen <Jes.Sorensen@redhat.com>,
	QEMU Developers <qemu-devel@nongnu.org>,
	Stefan Hajnoczi <stefanha@gmail.com>
Subject: Re: [Qemu-devel] live snapshot wiki updated
Date: Wed, 20 Jul 2011 11:41:55 -0600	[thread overview]
Message-ID: <4E271363.6080001@redhat.com> (raw)
In-Reply-To: <CAAu8pHuM_DavdFO=9hbBRztuajPNXF_pPaSxgBN2Sm6RM5yEXw@mail.gmail.com>

On 07/20/2011 11:20 AM, Blue Swirl wrote:
> There could still be some issues:
> Let's have files A, B, C etc. with backing files AA etc. How would
> libvirt know that when QEMU wants to write to file CA, this is because
> it's needed to access C, or is it just trickery by a devious guest to
> corrupt storage?

The fix for CVE-2010-2238 already deals with this: if primary image C 
refers to backing file CA of raw format, but does not state what file 
format CA contains, then a malicious guest can modify the contents of CA 
to appear to be yet another qcow2 image.  At which point, if libvirt 
follows the backing file specified in CA, then yes, the malicious guest 
really can cause libvirt to expose arbitrary file CB for manipulation by 
the guest.  But that security hole was already plugged - by default, 
libvirt refuses to probe backing files parsed from qcow2 headers for 
file format, but instead requires the outer qcow2 header to also include 
the a file format designation for the backing file.  At which point, you 
then have a safe chain: if C refers to CA, then libvirt knows that both 
C and CA are essential to the storage presented by giving qemu the file 
name C, and the guest will already be modifying CA, but there is no 
storage corruption involved.

That is, as long as libvirt can already accurately read the chain of 
backing files from any starting point, then it can hand that entire 
chain of backing files (whether by the topmost file name as it does now, 
or whether by a series of fds as is being proposed) to qemu.

>
> This could be handled so that instead of naming the backing file, QEMU
> asks for a descriptor for the backing file by presenting the
> descriptor to main file C, but I think the real solution is that
> libvirt should handle the storage formats completely and it should
> present QEMU with only a raw file like interface (read/write/seek) for
> the data. Then any backing files would be handled within libvirt.
> Performance could suffer, though.

The monitor interface was not designed to throw the 
read()/write()/seek() burden back on libvirt, and indeed that would kill 
performance so it is a non-starter idea.  All we need for security is 
the open() burden to be shifted out of qemu and into libvirt.

-- 
Eric Blake   eblake@redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

  reply	other threads:[~2011-07-20 17:42 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-15 14:58 [Qemu-devel] live snapshot wiki updated Jes Sorensen
2011-07-18 14:08 ` Stefan Hajnoczi
2011-07-19  7:24   ` Jes Sorensen
2011-07-19 13:23     ` Stefan Hajnoczi
2011-07-19 13:27       ` Jes Sorensen
2011-07-19 13:58         ` Eric Blake
2011-07-19 14:09           ` Jes Sorensen
2011-07-19 14:24             ` Eric Blake
2011-07-19 14:30               ` Jes Sorensen
2011-07-19 15:14                 ` Stefan Hajnoczi
2011-07-19 16:46                   ` Daniel P. Berrange
2011-07-20  7:30                     ` Markus Armbruster
2011-07-20  8:23                     ` Jes Sorensen
2011-07-20  9:36                       ` Daniel P. Berrange
2011-07-20 10:15                         ` [Qemu-devel] [libvirt] " Nicolas Sebrecht
2011-07-20 10:28                           ` Daniel P. Berrange
2011-07-20 11:40                             ` [Qemu-devel] [libvirt] " Stefan Hajnoczi
     [not found]                             ` <4E27E610.7090502@redhat.com>
     [not found]                               ` <4E282DE6.1020603@redhat.com>
     [not found]                                 ` <4E283554.4080903@redhat.com>
2011-07-21 14:51                                   ` Eric Blake
     [not found]                         ` <4E27E5A2.2030208@redhat.com>
     [not found]                           ` <4E28317D.9020502@redhat.com>
2011-07-21 15:01                             ` [Qemu-devel] " Stefan Hajnoczi
2011-07-21 19:42                               ` Blue Swirl
2011-07-22  5:06                                 ` Stefan Hajnoczi
2011-07-22 15:49                                   ` Blue Swirl
2011-07-22  7:22                               ` Kevin Wolf
2011-07-22  9:11                                 ` Stefan Hajnoczi
2011-07-22 16:05                                   ` Blue Swirl
2011-07-20  9:50                     ` Kevin Wolf
2011-07-20 10:18                       ` Daniel P. Berrange
2011-07-19 16:14                 ` Anthony Liguori
2011-07-20  8:25                   ` Jes Sorensen
2011-07-20 10:01                     ` Kevin Wolf
2011-07-20 13:25                       ` Jes Sorensen
2011-07-20 13:46                         ` Eric Blake
2011-07-20 17:27                           ` Blue Swirl
2011-07-20 17:47                             ` Eric Blake
2011-07-20 19:51                               ` Blue Swirl
     [not found]                                 ` <4E27DE5D.5050502@redhat.com>
2011-07-21 19:34                                   ` Blue Swirl
2011-07-20 13:51                         ` Kevin Wolf
2011-07-20 17:20                           ` Blue Swirl
2011-07-20 17:41                             ` Eric Blake [this message]
2011-07-20 18:00                               ` Blue Swirl
2011-07-20 18:17                                 ` Eric Blake
2011-07-20 20:01                                   ` Blue Swirl
2011-07-20 20:10                                     ` Eric Blake
     [not found]                             ` <4E27E280.2060306@redhat.com>
2011-07-21 19:01                               ` Blue Swirl
2011-07-22  7:36                           ` Avi Kivity
2011-07-22  8:11                             ` Kevin Wolf
2011-07-22 16:09                               ` Blue Swirl
2011-07-20 13:50                   ` Cleber Rosa
2011-07-20 14:34                     ` Anthony Liguori
2011-07-20 18:34                       ` Cleber Rosa
2011-07-19 16:47                 ` Daniel P. Berrange
2011-07-20  8:26                   ` Jes Sorensen
2011-07-20  9:38                     ` Daniel P. Berrange
2011-07-20 14:35                   ` Anthony Liguori
2011-07-21 18:56                   ` Michael Roth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E271363.6080001@redhat.com \
    --to=eblake@redhat.com \
    --cc=Jes.Sorensen@redhat.com \
    --cc=blauwirbel@gmail.com \
    --cc=kwolf@redhat.com \
    --cc=libvir-list@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    --cc=stefanha@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).