On Thu, Feb 11, 2021 at 03:26:56PM +0100, Philippe Mathieu-Daudé wrote: > The null-co driver is meant for (performance) testing. > By default, read operation does nothing, the provided buffer > is not filled with zero values and its content is unchanged. > > This performance 'feature' becomes an issue from a security > perspective. For example, using the default null-co driver, > buf[] is uninitialized, the blk_pread() call succeeds and we > then access uninitialized memory: > > static int guess_disk_lchs(BlockBackend *blk, > int *pcylinders, int *pheads, > int *psectors) > { > uint8_t buf[BDRV_SECTOR_SIZE]; > ... > > if (blk_pread(blk, 0, buf, BDRV_SECTOR_SIZE) < 0) { > return -1; > } > /* test msdos magic */ > if (buf[510] != 0x55 || buf[511] != 0xaa) { > return -1; > } > > We could audit all the uninitialized buffers and the > bdrv_co_preadv() handlers, but it is simpler to change the > default of this testing driver. Performance tests will have > to adapt and use 'null-co,read-zeroes=off'. > > Suggested-by: Max Reitz <mre...@redhat.com> > Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> > --- > block/null.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature