From: Eric Blake <eblake@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Markus Armbruster <armbru@redhat.com>
Cc: qemu-block@nongnu.org, qemu-devel@nongnu.org,
stefanha@redhat.com, Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing
Date: Tue, 24 Mar 2015 08:22:46 -0600 [thread overview]
Message-ID: <55117336.80807@redhat.com> (raw)
In-Reply-To: <55112241.7000300@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1791 bytes --]
On 03/24/2015 02:37 AM, Paolo Bonzini wrote:
>> The option sets bdrv_image_probing_disabled in a straightforward manner,
>> and bdrv_image_probing_disabled guards the probing code in an equally
>> straightforward manner.
>
> But what about migration from newer to older QEMU? Libvirt even
> supports QEMU versions where the only way to specify disks is "-hda
> XYZ", so it is _impossible_ to honor the format=raw specifier.
No one migrates from new qemu with this option back to a qemu version
that old. Libvirt continues to drive old qemu, but driving old qemu is
different than migrating to old qemu. And this feature is
introspectible, so libvirt knows when to use it and when to avoid it.
Furthermore, libvirt already has a knob in /etc/libvirt/qemu.conf to
enable probing - if this command line option ever gets in the way, a
one-line change to that conf file will tell libvirt to quit using it.
>
> Also, libvirt can start qemu-nbd and doesn't force format=raw in that
> case. So the protection is far from complete. This reinforces my
Sounds like we have a bug to fix in libvirt.
> opinion that the false sense of safety provided by this patch is worse
> than the "insurance" against future CVEs (also, have there been any
> actual libvirt CVEs about this after 2010? near misses don't count IMHO).
CVE-2011-2178 (http://security.libvirt.org/2011/0003.html).
And more recently, I argued that
http://security.libvirt.org/2014/0006.html should have been a CVE; it
was no near miss (in the wild for several months), and the only reason I
did not win my case for making it a CVE was because of the qemu.conf
default setting.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
next prev parent reply other threads:[~2015-03-24 14:23 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-20 13:05 [Qemu-devel] [PATCH RFC for-2.3 0/1] block: New command line option --no-format-probing Markus Armbruster
2015-03-20 13:05 ` [Qemu-devel] [PATCH RFC for-2.3 1/1] " Markus Armbruster
2015-03-20 13:34 ` Max Reitz
2015-03-20 13:48 ` Markus Armbruster
2015-03-20 13:49 ` Max Reitz
2015-03-20 13:56 ` Eric Blake
2015-03-20 14:19 ` Markus Armbruster
2015-03-20 14:32 ` Eric Blake
2015-03-23 17:23 ` Paolo Bonzini
2015-03-23 17:48 ` Eric Blake
2015-03-23 17:50 ` Paolo Bonzini
2015-03-23 20:19 ` Markus Armbruster
2015-03-24 8:37 ` Paolo Bonzini
2015-03-24 14:22 ` Eric Blake [this message]
2015-03-24 16:49 ` Markus Armbruster
2015-03-24 20:11 ` Paolo Bonzini
2015-03-25 8:10 ` Markus Armbruster
2015-03-25 10:36 ` Paolo Bonzini
2015-03-20 14:01 ` [Qemu-devel] [PATCH RFC for-2.3 0/1] " Eric Blake
2015-03-20 14:27 ` Markus Armbruster
2015-03-20 14:17 ` [Qemu-devel] [RFC PATCH] qemu: enforce no format probing when possible Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55117336.80807@redhat.com \
--to=eblake@redhat.com \
--cc=armbru@redhat.com \
--cc=mreitz@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).