[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing |
Date: |
Thu, 30 Oct 2014 13:19:45 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
Stefan Hajnoczi <address@hidden> writes:
> On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote:
>> Stefan Hajnoczi <address@hidden> writes:
>>
>> > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
>> >> Kevin Wolf <address@hidden> writes:
>> >>
>> >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
>> >> > Instead, let me try once more to sell my old proposal [1] from the
>> >> > thread you mentioned:
>> >> >
>> >> >> What if we let the raw driver know that it was probed and then it
>> >> >> enables a check that returns -EIO for any write on the first 2k if that
>> >> >> write would make the image look like a different format?
>> >> >
>> >> > Attacks the problem where it arises instead of trying to detect the
>> >> > outcome of it, and works in whatever way it is nested in the BDS graph
>> >> > and whatever way is used to address the image file.
>> >
>> > I think this is too clever. It's another thing to debug if a guest
>> > starts hitting EIO.
>> >
>> > My opinion on probing is: it's ugly but let's leave it for QEMU 3.0 at
>> > which point we implement Markus solution with exit(1).
>>
>> I regard my patch as a necessary preliminary step for that. Warn now,
>> change behavior a couple of releases later. When exactly is debatable.
>>
>> > In the meantime the CVE has been known for a long time so vulnerable
>> > users (VM hosting, cloud, etc) have the information they need. Many are
>> > automatically protected by libvirt.
>>
>> The warning hopefully helps libvirt developers with keeping libvirt
>> users fully protected.
>
> I'm happy with this approach (haven't reviewed the patches in detail
> yet).
PATCH 1/2 is fully baked, but it's also trivial, and got plenty of
review already.
PATCH 2/2 isn't baked, yet, and I think I know what needs to be done. I
guess your review cycles are better spent elsewhere.
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, (continued)
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Fam Zheng, 2014/10/28
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/10/29
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/10/30
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/10/31
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Stefan Hajnoczi, 2014/10/31
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Eric Blake, 2014/10/31
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/10/30
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/10/31