xen-devel

[Top] [All Lists]

Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone fo

from [Ian Jackson]

[Permanent Link][Original]

To:	Martin Troester <TroyMcClure@xxxxxx>
Subject:	Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone forever?
From:	Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date:	Mon, 5 Oct 2009 11:05:53 +0100
Cc:	"xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date:	Mon, 05 Oct 2009 03:06:50 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<4ABD30AC.9050109@xxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<4ABBD9DE.5090103@xxxxxx> <19132.52745.738000.235297@xxxxxxxxxxxxxxxxxxxxxxxx> <4ABD30AC.9050109@xxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

Martin Troester writes ("Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing 
file support gone  forever?"):
> Ian Jackson wrote:
> > If it works for you then your system may have a security problem.  I
> > haven't analysed this use case in detail and it would depend on the
> > exact structure of your storage.
...
> Assuming I offer a user a virtual machine with a qcow2 image backed by 
> another qcow2 image which is ultimately backed by a raw image, how would 
> a user ever get the possibility to modify the first part of the raw 
> image to resemble a qcow header? This seems to be the point where I have 
> problems following your scenario. 

Ah, yes, you are right.  I think your case is safe - provided your
base images are only ever constructed by you.  But if you ever (for
example) fold changes from the upper layers back into the raw base
image and then use that as the new base, you're vulnerable again; or
if you ever accept a raw image from someone else (for testing, say).
So it's possible to avoid the problem by carefully restricting the
operations you perform, but it's hazardous because you need to be
constantly watchful.

Unfortunately to make your case work without reintroducing the
vulnerability for users with simple raw images is not trivial, because
as I say the information about what format is expected (and the
context, which might show that it was safe).

So I would suggest that the best thing for you to do would be to carry
the local change to undo the security fix, and be very careful about
how you use your images.

> I hope I'm not making a fool of myself here, but I thought I'd put my 
> thoughts here to understand where I'm missing the point. If this does 
> not belong to this list, I'd be happy to get your answer via private mail.

No, I think it's fine to have it here.  Sorry to reply late; I've been
away the last week.

Regards,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone forever?, Ian Jackson <=

Previous by Date:	[Xen-users] About profiling xen, Fasiha Ashraf
Next by Date:	[Xen-devel] [PATCH 22/22] Add netchannel2 VMQ support to an old version of the ixgbe driver., steven.smith
Previous by Thread:	[Xen-users] About profiling xen, Fasiha Ashraf
Next by Thread:	[Xen-devel] [PATCH 0 of 12] backport critical fixes from qemu upstream, Stefano Stabellini
Indexes:	[Date] [Thread] [Top] [All Lists]