Re: [Qemu-block] [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --misc format-probing=off

[Eric Blake]

On 03/23/2015 02:42 PM, Markus Armbruster wrote:


 I don't think it's the right solution.  Libvirt knows where to add a
 format=raw option, and it can do it without waiting for QEMU to
 implement this.  Direct command-line users are not going to use the
 option anyway.
 
 Two separate bones of contention here:
 
 1. Do we want to give libvirt the bug insurance it wants?

If we add this in 2.3, libvirt will use it.  If we wait until 2.4,
libvirt will manage without (as it has already managed without for all
earlier releases); it is just a little bit harder to ensure that formats
are being uniformly used.  I'm okay if this topic proves too
controversial to add into 2.3 at this late in the cycle, even though I'm
in favor of adding it.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-block] [Qemu-devel] [PATCH v2 0/2] ahci: test varying sector offsets

[John Snow]

Ping: I'll pull both this series and the 'ahci: rerror/werror=stop 
resume tests' series into my ide-next branch if just these two patches 
get a re-review.


They were excised from a pullreq due to glib compatibility issues, so 
the following series has no changes.


--js

On 03/13/2015 03:22 PM, John Snow wrote:

This is a re-send of patches 7  8 from an earlier series,
[PATCH v2 0/8] ahci: add more IO tests which ultimately got bounced
back because I used some glib functions that were too new.

v2:
- Patchew caught a pathing problem with the qemu-img binary;
   the relative path produced by the Makefile does not prepend
   ./, so I was relying on the /distro's/ qemu-img by accident.
   Fix that by using realpath().

v1:
- Removed ./ from the execution CLI. Now you can set an absolute or
   relative path for QTEST_QEMU_IMG and it will work either way. The default
   as generated by the Makefile will be a relative path.

- Removed the g_spawn_check_exit_status glib call from mkimg(). See the
   in-line comments in patch 1/2 for correctness justification.

John Snow (2):
   qtest/ahci: add qcow2 support to ahci-test
   qtest/ahci: test different disk sectors

  tests/Makefile|  1 +
  tests/ahci-test.c | 84 +--
  tests/libqos/ahci.c   | 10 +++---
  tests/libqos/ahci.h   |  4 +--
  tests/libqos/libqos.c | 44 +++
  tests/libqos/libqos.h |  2 ++
  6 files changed, 116 insertions(+), 29 deletions(-)

Re: [Qemu-block] [Qemu-devel] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing

[Paolo Bonzini]

On 23/03/2015 21:19, Markus Armbruster wrote:
 Paolo Bonzini pbonz...@redhat.com writes:
 
 On 23/03/2015 18:48, Eric Blake wrote:
 Why can't libvirt just add ,format=raw instead of leaving out the
 format key altogether?

 Libvirt DOES add format=raw.  This patch is an extra insurance
 policy to guarantee that libvirt does not have any code paths that
 omit the explicit format (as we have had a couple of CVEs in
 libvirt over the years where that was the case).

 And where's the extra insurance policy to guarantee that QEMU does not
 have any code paths that ignore the new command line option?
 
 Right here (in the non-RFC patch, not this one):
 
 @@ -751,6 +752,11 @@ static int find_image_format(BlockDriverState *bs, const 
 char *filename,
  return ret;
  }
  
 +if (bdrv_image_probing_disabled) {
 +error_setg(errp, Format not specified and image probing disabled);
 +return -EINVAL;
 +}
 +
  ret = bdrv_pread(bs, 0, buf, sizeof(buf));
  if (ret  0) {
  error_setg_errno(errp, -ret, Could not read image for determining 
 its 
 
 The option sets bdrv_image_probing_disabled in a straightforward manner,
 and bdrv_image_probing_disabled guards the probing code in an equally
 straightforward manner.

But what about migration from newer to older QEMU?  Libvirt even
supports QEMU versions where the only way to specify disks is -hda
XYZ, so it is _impossible_ to honor the format=raw specifier.

Also, libvirt can start qemu-nbd and doesn't force format=raw in that
case.  So the protection is far from complete.  This reinforces my
opinion that the false sense of safety provided by this patch is worse
than the insurance against future CVEs (also, have there been any
actual libvirt CVEs about this after 2010?  near misses don't count IMHO).

 How to get p0wned anyway:
 
 1. Use your raw image with format=raw.  Malicious guest writes qcow2
 header.
 
 2. Use the image again without a format.  Probe returns qcow2, no
 warning is printed.
 
 Plausible attack?  Maybe not.  Worth stopping cold anyway?  I think so,
 as long as it's easy.
 
 My new option is a different kind of mitigation.  It's for users who
 want more airtight protection, prefer writes to sector 0 just work,
 funny or not, and are willing to always specify the format.  At least
 one such user exists: libvirt.
 
 Without this patch:
 
 * Alternate use of raw images with and without format is still insecure;
   Kevin's mitigation can't protect you then.

That's PEBKAC.

Paolo

 * If you somehow miss specifying a format, and probing detects raw, you
   get a warning on stderr.  If your guest writes something funny to
   sector 0, the write fails.
 
 With this patch:
 
 * If you somehow miss specifying a format, open fails.  This is what
   libvirt wants.
 
   There certainly hasn't been enough discussion
 for this to get into 2.3.
 
 Isn't that what were doing now?  :)