On Tue, Aug 12, 2014 at 02:20:34PM +0100, Stefan Hajnoczi wrote: > On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote: > > Fixed size VPC images do not have a footer, hence the current probe > > function will fail and QEMU will fall back to the raw_bsd driver, which is > > not the correct behaviour. The specification of the format says that fixed > > size images have a footer as the last 512 bytes of the file. The footer is > > exactly the same as the header would be in the case of dynamically growing > > images. > > > > For this, we need to read the last 512 bytes of the image, however the > > current mechanics predominantly read the first 2048 bytes and pass that > > as a buffer to the probe functions. Solve this by passing the > > BlockDriverState to the probe functions, hence giving them a chance to read > > the extra bytes they might need. > > I hesitate to add patches that extend image format probing. For the > past few years we have always recommended that image files should not be > probed. > > Image probing is prone to security issues because a malicious guest can > modify a raw or vpc image by putting another image format header at > sector 0. The next time QEMU opens the image it will detect a different > format. One evil trick is to refer to a file on the host file system as > the backing file, now you can read any file that the QEMU process has > access to. > > Probing also complicates live migration. The source host still has the > image file open and may write to it. The destination host shouldn't > even read from the image file before handover to avoid file cache > coherency issues. > > Probing is broken. It shouldn't be used. We shouldn't extend it > (especially by adding more I/Os). >
For 2.2, maybe we should limit probing to only certain operations (e.g. qemu-img info) - or perhaps just remove the capability altogether, or at least start phasing it out with a warning message that automatic format detection is deprecated and may be unsafe. Jeff
