From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33514) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YaPjR-00022N-FF for qemu-devel@nongnu.org; Tue, 24 Mar 2015 10:23:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YaPjL-00047a-Hn for qemu-devel@nongnu.org; Tue, 24 Mar 2015 10:23:01 -0400 Message-ID: <55117336.80807@redhat.com> Date: Tue, 24 Mar 2015 08:22:46 -0600 From: Eric Blake MIME-Version: 1.0 References: <1426856744-18750-1-git-send-email-armbru@redhat.com> <1426856744-18750-2-git-send-email-armbru@redhat.com> <550C21DB.8000607@redhat.com> <87h9tf7pbi.fsf@blackfin.pond.sub.org> <550C2577.2010201@redhat.com> <550C26FE.6010807@redhat.com> <87384z4uq4.fsf@blackfin.pond.sub.org> <55104C17.80407@redhat.com> <551051E1.2030603@redhat.com> <55105283.9070105@redhat.com> <87sicvfov1.fsf@blackfin.pond.sub.org> <55112241.7000300@redhat.com> In-Reply-To: <55112241.7000300@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xqRW4nbppGUlDTQp5PN7EHx8S8saOMT3L" Subject: Re: [Qemu-devel] [Qemu-block] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini , Markus Armbruster Cc: qemu-block@nongnu.org, qemu-devel@nongnu.org, stefanha@redhat.com, Max Reitz This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xqRW4nbppGUlDTQp5PN7EHx8S8saOMT3L Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/24/2015 02:37 AM, Paolo Bonzini wrote: >> The option sets bdrv_image_probing_disabled in a straightforward manne= r, >> and bdrv_image_probing_disabled guards the probing code in an equally >> straightforward manner. >=20 > But what about migration from newer to older QEMU? Libvirt even > supports QEMU versions where the only way to specify disks is "-hda > XYZ", so it is _impossible_ to honor the format=3Draw specifier. No one migrates from new qemu with this option back to a qemu version that old. Libvirt continues to drive old qemu, but driving old qemu is different than migrating to old qemu. And this feature is introspectible, so libvirt knows when to use it and when to avoid it. Furthermore, libvirt already has a knob in /etc/libvirt/qemu.conf to enable probing - if this command line option ever gets in the way, a one-line change to that conf file will tell libvirt to quit using it. >=20 > Also, libvirt can start qemu-nbd and doesn't force format=3Draw in that= > case. So the protection is far from complete. This reinforces my Sounds like we have a bug to fix in libvirt. > opinion that the false sense of safety provided by this patch is worse > than the "insurance" against future CVEs (also, have there been any > actual libvirt CVEs about this after 2010? near misses don't count IMH= O). CVE-2011-2178 (http://security.libvirt.org/2011/0003.html). And more recently, I argued that http://security.libvirt.org/2014/0006.html should have been a CVE; it was no near miss (in the wild for several months), and the only reason I did not win my case for making it a CVE was because of the qemu.conf default setting. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --xqRW4nbppGUlDTQp5PN7EHx8S8saOMT3L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVEXM2AAoJEKeha0olJ0Nq7O4H/1VQguD8BBB5vtxPLHo0QB9/ 4x4/DYL0TGuWrqSkfO5NM7p2n9v4/i8Lwhsk2+ka04PCRbD9iKoh2PPIXyLeYXjZ A7OHeEgHPdxx9NDaPj6D76Cs3fSjf6OuiZhXZERIYu+AVSkJ3HNeaUK6p0IGyauw 6P56zODQkKSlAY9KY7H+73FM9BgEhf8v55BsP/ovZhTOdhPi1Rhe2PmUi+t0nq3E DGKGBpa4Sc0SeuhbWoN1QjKn8akBzVonVqo6NqJgVTIwVCCNcZl6d/0i9Zv7VCqd KvIRqdpYtHb1npE/7dKkvmdg7ocdxpkWUDuvzewcb6tHW7IiTX9R1kNgblNny10= =3Y4q -----END PGP SIGNATURE----- --xqRW4nbppGUlDTQp5PN7EHx8S8saOMT3L--