qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Image probing: how it can be insecure, and what we coul

From: Markus Armbruster
Subject: Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it
Date: Thu, 06 Nov 2014 13:43:26 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) 
Eric Blake <address@hidden> writes:

> On 11/05/2014 09:38 AM, Max Reitz wrote:
>
>>> Note that specifying just the top image's format is not enough, you also
>>> have to specify any backing images' formats.  QCOW2 can optionally store
>>> the backing image format in the image.  The other COW formats can't.
>> 
>> Well, they can, with "json:". *cough*
>> 
>>> Example of insecure usage: -hda bar.vmdk, where bar.vmdk is a VMDK image
>>> with a raw backing file.
>> 
>> Yesterday I found out that doesn't seem possible. You apparently can
>> only use VMDK with VMDK backing files. Other than that, we only have
>> qcow1 and qed as COW formats which should not be used anyway.
>
> Actually, qed requires the backing format to be recorded (it is
> non-optional) and is therefore immune to probing problems of backing
> files.  That's one thing it got right.

If I read the code correctly:

QED has a feature bit QED_F_BACKING_FORMAT_NO_PROBE.

It is changed when you set the backing file format.  Setting format to
"raw" sets the flag, anything else (including nothing) clears the flag.
The actual non-raw format is not recorded.

Creating an image counts as setting the backing file format.

If the flag is set, open uses "raw"for the backing file (no probing).

If it's unset, open probes, and the probe may yield "raw".
reply via email to
[Prev in Thread] Current Thread [Next in Thread]