From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33802) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XmMhn-0003tZ-Kh for qemu-devel@nongnu.org; Thu, 06 Nov 2014 08:02:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XmMhi-0008FW-MI for qemu-devel@nongnu.org; Thu, 06 Nov 2014 08:02:27 -0500 Received: from mx1.redhat.com ([209.132.183.28]:37634) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XmMhi-0008FR-E1 for qemu-devel@nongnu.org; Thu, 06 Nov 2014 08:02:22 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sA6D2KOj020077 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Thu, 6 Nov 2014 08:02:21 -0500 Message-ID: <545B715A.6090300@redhat.com> Date: Thu, 06 Nov 2014 14:02:18 +0100 From: Eric Blake MIME-Version: 1.0 References: <87lhnq3iul.fsf@blackfin.pond.sub.org> <5459E210.2020008@redhat.com> <5459F961.8030305@redhat.com> <87sihwv6s1.fsf@blackfin.pond.sub.org> In-Reply-To: <87sihwv6s1.fsf@blackfin.pond.sub.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="F0UkPIiSBg5PawFi4NEEveJL3X5gEGAqr" Subject: Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Markus Armbruster Cc: Kevin Wolf , Jeff Cody , qemu-devel@nongnu.org, Stefan Hajnoczi , Max Reitz This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --F0UkPIiSBg5PawFi4NEEveJL3X5gEGAqr Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/06/2014 01:43 PM, Markus Armbruster wrote: >> Actually, qed requires the backing format to be recorded (it is >> non-optional) and is therefore immune to probing problems of backing >> files. That's one thing it got right. >=20 > If I read the code correctly: >=20 > QED has a feature bit QED_F_BACKING_FORMAT_NO_PROBE. >=20 > It is changed when you set the backing file format. Setting format to > "raw" sets the flag, anything else (including nothing) clears the flag.= > The actual non-raw format is not recorded. >=20 > Creating an image counts as setting the backing file format. >=20 > If the flag is set, open uses "raw"for the backing file (no probing). >=20 > If it's unset, open probes, and the probe may yield "raw". Eww. Well, looks like a deficiency in the qed spec, and maybe all that is needed to plug it is: If the probe yields "raw", refuse to open the backing file (or put another way, either the probe MUST find a non-raw file, or the user has a bug that they forgot to set the raw bit so we refuse to open the file to point out their bug). --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --F0UkPIiSBg5PawFi4NEEveJL3X5gEGAqr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUW3FaAAoJEKeha0olJ0NqNbQH/iPrVh2ApjthJmHNWuWRykbq qWxePTpxELYzyi6wyjg1YLBhzb6k4285Ke9uF2j5rNkZrLxXmgIah648yqQDLwew np9iyczdQj9xP+NhoE5qHiRpRcKnsjSKQUwcmDWc9aYhT26tWVWBBAgKWq/zqOl9 dprDd5RWzSkEndu5xdhMv45FWfpd1NZ0bKIlIZnQo8wEER42mfcmAzb2pQLgzN70 5Xq+d+pLEtuG/UBcu85CHSxY2x0tM8sHZYw3KNfyxNuHtaeRJ9ubxmWnhd7A7SiA sHbj1KFHyR7SjyAZSBHnjt0YczM8SGYqAkm7/5bIM5C2rpz4ttskGi8iUG5Pp6c= =5n9q -----END PGP SIGNATURE----- --F0UkPIiSBg5PawFi4NEEveJL3X5gEGAqr--