Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
Date:	Tue, 4 Nov 2014 15:25:44 +0000
User-agent:	Mutt/1.5.23 (2014-03-12)

On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
> Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> > The argument that there might not be a traditional filename doesn't make
> > sense to me.  When there is no filename the command-line is already
> > sufficiently complex and usage is fancy enough that probing adds no
> > convenience, the user can just specify the format.
> 
> -hda nbd://localhost
> -drive file=nbd://localhost,format=raw
> 
> Almost double the length, and I don't see anything fancy in the first
> line.
> 
> > Anyway, does this sound reasonable:
> > 
> > In QEMU 3.0, require the format= option for -drive.  Keep probing the
> > way it is for non-drive options because they are used for convenience by
> > local users.
> 
> And being hacked while using -hda is better in which way?

Markus is proposing that we look at the filename extension.  In that
case QEMU cannot be tricked by the contents of a raw image.

That makes -hda perfectly safe although there are cases where QEMU
doesn't know what to do and requires format=.

I do worry that changing QEMU's probing behavior drastically can lead to
consistencies where libvirt does its own probing :(.  Haven't thought
through the bug scenarios but that could be a security problem in
itself.

Stefan

pgp36ID3EPPMa.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, (continued)
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
- Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/03
  - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/04
  - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/03
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Stefan Hajnoczi, 2014/11/03
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Max Reitz, 2014/11/03
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/04
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/04
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Stefan Hajnoczi <=
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Kevin Wolf, 2014/11/04
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Markus Armbruster, 2014/11/05
    - Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing, Eric Blake, 2014/11/05

Prev by Date: Re: [Qemu-devel] [PATCH] pc: piix4_pm: init legacy PCI hotplug when running on Xen
Next by Date: Re: [Qemu-devel] [PATCH] tcg: add separate monitor command to dump opcode counters
Previous by thread: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
Next by thread: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing
Index(es):
- Date
- Thread