[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [Qemu-devel] [PATCH for-2.3 1/1] block: New command lin
Re: [Qemu-block] [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --misc format-probing=off
Mon, 23 Mar 2015 21:42:37 +0100
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
Paolo Bonzini <address@hidden> writes:
> On 23/03/2015 11:04, Markus Armbruster wrote:
>> Probing is convenient, but probing untrusted raw images is insecure
>> (CVE-2008-2004). To avoid it, users should always specify raw format
>> explicitly. This isn't trivial, and even sophisticated users have
>> gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239,
>> plus more recent variations of the theme that didn't get CVEs because
>> they were caught before they could hurt users).
>> Disabling probing entirely is a (hamfisted) way to ensure you always
>> specify the format.
>> Instead of creating yet another simple option that doesn't work with
>> -readconfig, create a "misc" option group and --misc command line
>> option. We're out of space in vm_config_groups, so double it.
>> This will let us make existing miscellaneous non-QemeOpts options
>> sugar for --misc, so they become available with -readconfig. Left for
>> another day.
> Which exactly? Could they fit into another scheme? (See how
> -mem-prealloc was replaced and generalized by memory-backend-* objects).
> For example, -win2k-install-hack should really be an IDE disk property
> that can be set with -global, and many other options could be machine or
> display options.
> I don't think it's the right solution. Libvirt knows where to add a
> format=raw option, and it can do it without waiting for QEMU to
> implement this. Direct command-line users are not going to use the
> option anyway.
Two separate bones of contention here:
1. Do we want to give libvirt the bug insurance it wants?
2. Is --misc sane?
We're discussing 1. elsewhere already.
Regarding 2.: if anyone has a better idea on how to do the command line
switch, I'm all ears.
Eyeballing vl.c, I suspect these options don't use QemuOpts, thus don't
Unless we stop adding more, we'll never get --readconfig reasonably
> So for today we're 1-1 on NACKs. :D
I NACKed something today?
All I remember is advising to disable sdhci-pci instead of changing how
it's hacked up.