From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48812) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XnqVd-0007Hd-N4 for qemu-devel@nongnu.org; Mon, 10 Nov 2014 10:04:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XnqVX-0002ZO-DI for qemu-devel@nongnu.org; Mon, 10 Nov 2014 10:04:01 -0500 Received: from mx1.redhat.com ([209.132.183.28]:39770) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XnqVX-0002ZJ-63 for qemu-devel@nongnu.org; Mon, 10 Nov 2014 10:03:55 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAAF3sLe018866 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 10 Nov 2014 10:03:54 -0500 Message-ID: <5460D3D2.4050107@redhat.com> Date: Mon, 10 Nov 2014 16:03:46 +0100 From: Max Reitz MIME-Version: 1.0 References: <1415389165-16157-1-git-send-email-kwolf@redhat.com> <1415389165-16157-8-git-send-email-kwolf@redhat.com> In-Reply-To: <1415389165-16157-8-git-send-email-kwolf@redhat.com> Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2 7/9] raw: Prohibit dangerous writes for probed images List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf , qemu-devel@nongnu.org Cc: jcody@redhat.com, armbru@redhat.com, stefanha@redhat.com On 2014-11-07 at 20:39, Kevin Wolf wrote: > If the user neglects to specify the image format, QEMU probes the > image to guess it automatically, for convenience. > > Relying on format probing is insecure for raw images (CVE-2008-2004). > If the guest writes a suitable header to the device, the next probe > will recognize a format chosen by the guest. A malicious guest can > abuse this to gain access to host files, e.g. by crafting a QCOW2 > header with backing file /etc/shadow. > > Commit 1e72d3b (April 2008) provided -drive parameter format to let > users disable probing. Commit f965509 (March 2009) extended QCOW2 to > optionally store the backing file format, to let users disable backing > file probing. QED has had a flag to suppress probing since the > beginning (2010), set whenever a raw backing file is assigned. > > All of these additions that allow to avoid format probing have to be > specified explicitly. The default still allows the attack. > > In order to fix this, commit 79368c8 (July 2010) put probed raw images > in a restricted mode, in which they wouldn't be able to overwrite the > first few bytes of the image so that they would identify as a different > image. If a write to the first sector would write one of the signatures > of another driver, qemu would instead zero out the first four bytes. > This patch was later reverted in commit 8b33d9e (September 2010) because > it didn't get the handling of unaligned qiov members right. > > Today's block layer that is based on coroutines and has qiov utility > functions makes it much easier to get this functionality right, so this > patch implements it. > > The other differences of this patch to the old one are that it doesn't > silently write something different than the guest requested by zeroing > out some bytes (it fails the request instead) and that it doesn't > maintain a list of signatures in the raw driver (it calls the usual > probe function instead). > > Note that this change doesn't introduce new breakage for false positive > cases where the guest legitimately writes data into the first sector > that matches the signatures of an image format (e.g. for nested virt): > These cases were broken before, only the failure mode changes from > corruption after the next restart (when the wrong format is probed) to > failing the problematic write request. > > Signed-off-by: Kevin Wolf > --- > block.c | 5 +++-- > block/raw_bsd.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++- > include/block/block_int.h | 3 +++ > 3 files changed, 62 insertions(+), 3 deletions(-) Reviewed-by: Max Reitz