From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59498) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YsEeO-00040i-As for qemu-devel@nongnu.org; Tue, 12 May 2015 14:11:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YsEeL-0001LA-1v for qemu-devel@nongnu.org; Tue, 12 May 2015 14:11:28 -0400 Message-ID: <55524119.4040903@redhat.com> Date: Tue, 12 May 2015 12:06:17 -0600 From: Eric Blake MIME-Version: 1.0 References: <1431446962-9860-1-git-send-email-berrange@redhat.com> <1431446962-9860-2-git-send-email-berrange@redhat.com> In-Reply-To: <1431446962-9860-2-git-send-email-berrange@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OK6tKWKNwhAsaEw0a8Rd0hSCD46KjBQr8" Subject: Re: [Qemu-devel] [PATCH 1/5] qcow2/qcow: protect against uninitialized encryption key List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Cc: Kevin Wolf , qemu-block@nongnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OK6tKWKNwhAsaEw0a8Rd0hSCD46KjBQr8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 05/12/2015 10:09 AM, Daniel P. Berrange wrote: > When a qcow[2] file is opened, if the header reports an > encryption method, this is used to set the 'crypt_method_header' > field on the BDRVQcow[2]State struct, and the 'encrypted' flag > in the BDRVState struct. >=20 > When doing I/O operations, the 'crypt_method' field on the > BDRVQcow[2]State struct is checked to determine if encryption > needs to be applied. >=20 > The crypt_method_header value is copied into crypt_method when > the bdrv_set_key() method is called. >=20 > The QEMU code which opens a block device is expected to always > do a check >=20 > if (bdrv_is_encrypted(bs)) { > bdrv_set_key(bs, ....key...); > } >=20 > If code forgets todo this, then 'crypt_method' is never set s/todo/to do/ > and so when I/O is performed, QEMU writes plain text data > into a sector which is expected to contain cipher text, or > when reading, will return cipher text instead of plain > text. >=20 > Change the qcow[2] code to consult bs->encrypted when deciding > whether encryption is required, and assert(s->crypt_method) > to protect against cases where the caller forgets to set the > encryption key. >=20 > Also put an assert in the set_key methods to protect against > the case where the caller sets an encryption key on a block > device that does not have encryption >=20 > Signed-off-by: Daniel P. Berrange > --- > block/qcow.c | 10 +++++++--- > block/qcow2-cluster.c | 3 ++- > block/qcow2.c | 18 ++++++++++++------ > 3 files changed, 21 insertions(+), 10 deletions(-) >=20 Reviewed-by: Eric Blake --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --OK6tKWKNwhAsaEw0a8Rd0hSCD46KjBQr8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVUkEZAAoJEKeha0olJ0NqHdMH/i/z9TzbgFO01O7qgg6YUwbP BdKqr5DyU3cxmrHrMXLiNqkNw1yAvbAkyaBEZDWzTSWcKYalgAw26qXoeOWJsiV5 x7VsS3Mr7TlhhxCnkhGCc3XR6pGhQJT8uxaQ5XClKtRoWCzjtgsCq2wtCacz3JlN 9qlKFcxjX+Nsl5ZomPsIaXiLxK3qYQMohKLMkInhdF0wt2Zdt8FfP3AHAc39M2U1 RoiCf+3piLIyj52xTJM+C+X2gVbw5QsUuHGY5aeuXTcu1YxjJLq6tC9MsUdIUh4V wH89QP8HDrdfaK06vALjJAiUmV0EI1z0/qtmxqQbbk852FG1CzzrPMsIMptKSp8= =tlta -----END PGP SIGNATURE----- --OK6tKWKNwhAsaEw0a8Rd0hSCD46KjBQr8--