Re: [Qemu-devel] [Qemu-block] [PATCH RFC for-2.3 1/1] block: New command line option --no-format-probing

[Eric Blake]

On 03/24/2015 02:37 AM, Paolo Bonzini wrote:

>> The option sets bdrv_image_probing_disabled in a straightforward manner,
>> and bdrv_image_probing_disabled guards the probing code in an equally
>> straightforward manner.
> 
> But what about migration from newer to older QEMU?  Libvirt even
> supports QEMU versions where the only way to specify disks is "-hda
> XYZ", so it is _impossible_ to honor the format=raw specifier.

No one migrates from new qemu with this option back to a qemu version
that old.  Libvirt continues to drive old qemu, but driving old qemu is
different than migrating to old qemu.  And this feature is
introspectible, so libvirt knows when to use it and when to avoid it.

Furthermore, libvirt already has a knob in /etc/libvirt/qemu.conf to
enable probing - if this command line option ever gets in the way, a
one-line change to that conf file will tell libvirt to quit using it.

> 
> Also, libvirt can start qemu-nbd and doesn't force format=raw in that
> case.  So the protection is far from complete.  This reinforces my

Sounds like we have a bug to fix in libvirt.

> opinion that the false sense of safety provided by this patch is worse
> than the "insurance" against future CVEs (also, have there been any
> actual libvirt CVEs about this after 2010?  near misses don't count IMHO).

CVE-2011-2178 (http://security.libvirt.org/2011/0003.html).

And more recently, I argued that
http://security.libvirt.org/2014/0006.html should have been a CVE; it
was no near miss (in the wild for several months), and the only reason I
did not win my case for making it a CVE was because of the qemu.conf
default setting.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature