Re: [Qemu-devel] [PATCH V6 1/3] Implement sync modes for drive-backup.

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2221 bytes --]

On 07/25/2013 08:36 AM, Paolo Bonzini wrote:

>> Furthermore, I'm proposing that for 1.6, we should make the format 
>> argument mandatory for drive-backup.  We made it optional for 
>> drive-mirror, to allow for probing, but there have been CVEs in the
>> past due to probing of a raw file gone wrong.  We can always relax
>> a mandatory argument into an optional one in 1.7, if we decide
>> that probing can be done safely, but we can never turn an optional
>> argument into a mandatory one once the initial release bakes in the
>> option.  It would make the code a lot simpler to just have a
>> mandatory format argument, instead of having to bake in and
>> document hueristics on which format is picked when the caller
>> doesn't provide one.
> 
> Probing is unsafe by definition, on the other hand we should allow it
> for consistency with the rest of the API.

Shouldn't security trump consistency?  My argument is that if probing
can be abused, it is better to have 1.6 be conservative and mandate a
format argument always; if we can later argue that some forms of probing
are safe, then for 1.7 we can relax the argument to optional in the
qapi-schema.json file and add code checks that still mandate the
argument in the instances where it is needed, but allow probing in the
remaining cases.  But why are we so concerned about allowing probing in
the first place?  Libvirt will ALWAYS be passing a format, because that
is the only way to avoid a security bug; it is easier to design the
format to be mandatory than it is to reason about when probing might be
safe, and there's no need to be consistent with the security holes that
are permanently baked into older commands.

> 
> Making the format mandatory for mode != 'existing' is fine, though.
> We can relax it later.
> 
> For mode = 'existing' we should allow both probing, and using an
> explicit format.

But if you insist on allowing probing for mode='existing', then
qapi-schema.json must leave it as '*format':'str', and we are stuck
implementing the code for when format is mandatory in the C code.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]