[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing |
Date: |
Tue, 4 Nov 2014 15:25:44 +0000 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
> Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> > The argument that there might not be a traditional filename doesn't make
> > sense to me. When there is no filename the command-line is already
> > sufficiently complex and usage is fancy enough that probing adds no
> > convenience, the user can just specify the format.
>
> -hda nbd://localhost
> -drive file=nbd://localhost,format=raw
>
> Almost double the length, and I don't see anything fancy in the first
> line.
>
> > Anyway, does this sound reasonable:
> >
> > In QEMU 3.0, require the format= option for -drive. Keep probing the
> > way it is for non-drive options because they are used for convenience by
> > local users.
>
> And being hacked while using -hda is better in which way?
Markus is proposing that we look at the filename extension. In that
case QEMU cannot be tricked by the contents of a raw image.
That makes -hda perfectly safe although there are cases where QEMU
doesn't know what to do and requires format=.
I do worry that changing QEMU's probing behavior drastically can lead to
consistencies where libvirt does its own probing :(. Haven't thought
through the bug scenarios but that could be a security problem in
itself.
Stefan
pgp36ID3EPPMa.pgp
Description: PGP signature
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, (continued)
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Stefan Hajnoczi, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/04
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/04
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing,
Stefan Hajnoczi <=
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/04
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/05
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Eric Blake, 2014/11/05