[Qemu-devel] [4277] add format= to drive options (CVE-2008-2004)

[Qemu-devel] [4277] add format= to drive options (CVE-2008-2004)

[Aurelien Jarno]

Revision: 4277
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=4277
Author:   aurel32
Date:     2008-04-28 20:26:45 +0000 (Mon, 28 Apr 2008)

Log Message:
-----------
add format= to drive options (CVE-2008-2004)

It is possible for a guest with a raw formatted disk image to write a
header to that disk image describing another format (such as qcow2).
Stopping and subsequent restart of the guest will cause qemu to detect
that format, and could allow the guest to read any host file if qemu is
sufficiently privileged (typical in virt environments).

The patch defaults to existing behaviour (probing based on file contents),
so it still requires the mgmt app (e.g. libvirt xml) to pass a new
"format=raw" parameter for raw disk images.

Originally noted by Avi Kivity, patch from Chris Wright.

Modified Paths:
--------------
    trunk/qemu-doc.texi
    trunk/vl.c

Modified: trunk/qemu-doc.texi
===================================================================
--- trunk/qemu-doc.texi	2008-04-28 08:54:59 UTC (rev 4276)
+++ trunk/qemu-doc.texi	2008-04-28 20:26:45 UTC (rev 4277)
@@ -261,6 +261,10 @@
 @var{snapshot} is "on" or "off" and allows to enable snapshot for given drive (see @option{-snapshot}).
 @item cache=@var{cache}
 @var{cache} is "on" or "off" and allows to disable host cache to access data.
+@item format=@var{format}
+Specify which disk @var{format} will be used rather than detecting
+the format.  Can be used to specifiy format=raw to avoid interpreting
+an untrusted format header.
 @end table
 
 Instead of @option{-cdrom} you can use:

Modified: trunk/vl.c
===================================================================
--- trunk/vl.c	2008-04-28 08:54:59 UTC (rev 4276)
+++ trunk/vl.c	2008-04-28 20:26:45 UTC (rev 4277)
@@ -4961,6 +4961,7 @@
     int bus_id, unit_id;
     int cyls, heads, secs, translation;
     BlockDriverState *bdrv;
+    BlockDriver *drv = NULL;
     int max_devs;
     int index;
     int cache;
@@ -4968,7 +4969,7 @@
     char *str = arg->opt;
     char *params[] = { "bus", "unit", "if", "index", "cyls", "heads",
                        "secs", "trans", "media", "snapshot", "file",
-                       "cache", NULL };
+                       "cache", "format", NULL };
 
     if (check_params(buf, sizeof(buf), params, str) < 0) {
          fprintf(stderr, "qemu: unknown parameter '%s' in '%s'\n",
@@ -5136,6 +5137,14 @@
         }
     }
 
+    if (get_param_value(buf, sizeof(buf), "format", str)) {
+        drv = bdrv_find_format(buf);
+        if (!drv) {
+            fprintf(stderr, "qemu: '%s' invalid format\n", buf);
+            return -1;
+        }
+    }
+
     if (arg->file == NULL)
         get_param_value(file, sizeof(file), "file", str);
     else
@@ -5238,7 +5247,7 @@
         bdrv_flags |= BDRV_O_SNAPSHOT;
     if (!cache)
         bdrv_flags |= BDRV_O_DIRECT;
-    if (bdrv_open(bdrv, file, bdrv_flags) < 0 || qemu_key_check(bdrv, file)) {
+    if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
         fprintf(stderr, "qemu: could not open disk image %s\n",
                         file);
         return -1;

Re: [Qemu-devel] [4277] add format= to drive options (CVE-2008-2004)

[Paul Brook]

> Revision: 4277
> -----------
> add format= to drive options (CVE-2008-2004)

This needs some way for users to figure out what values are accepted for this 
option.  Either in the .texi files or some means of getting qemu to output a 
list.

You also need to update the --help output.

Paul