qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images


From: Jeff Cody
Subject: Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images
Date: Tue, 12 Aug 2014 09:35:42 -0400
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Aug 12, 2014 at 02:20:34PM +0100, Stefan Hajnoczi wrote:
> On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote:
> > Fixed size VPC images do not have a footer, hence the current probe
> > function will fail and QEMU will fall back to the raw_bsd driver, which is
> > not the correct behaviour. The specification of the format says that fixed
> > size images have a footer as the last 512 bytes of the file. The footer is
> > exactly the same as the header would be in the case of dynamically growing
> > images.
> > 
> > For this, we need to read the last 512 bytes of the image, however the
> > current mechanics predominantly read the first 2048 bytes and pass that
> > as a buffer to the probe functions. Solve this by passing the
> > BlockDriverState to the probe functions, hence giving them a chance to read
> > the extra bytes they might need.
> 
> I hesitate to add patches that extend image format probing.  For the
> past few years we have always recommended that image files should not be
> probed.
> 
> Image probing is prone to security issues because a malicious guest can
> modify a raw or vpc image by putting another image format header at
> sector 0.  The next time QEMU opens the image it will detect a different
> format.  One evil trick is to refer to a file on the host file system as
> the backing file, now you can read any file that the QEMU process has
> access to.
> 
> Probing also complicates live migration.  The source host still has the
> image file open and may write to it.  The destination host shouldn't
> even read from the image file before handover to avoid file cache
> coherency issues.
> 
> Probing is broken.  It shouldn't be used.  We shouldn't extend it
> (especially by adding more I/Os).
>

For 2.2, maybe we should limit probing to only certain operations (e.g.
qemu-img info) - or perhaps just remove the capability altogether, or
at least start phasing it out with a warning message that automatic
format detection is deprecated and may be unsafe.

Jeff



reply via email to

[Prev in Thread] Current Thread [Next in Thread]