|
|
|
|
|
|
|
|
|
|
xen-devel
RE: [Xen-devel][PATCH]ioemu:fix up error when using qemu-img-xen to crea
Xu, Dongxiao writes ("RE: [Xen-devel][PATCH]ioemu:fix up error when
using qemu-img-xen to create img"):
> Thanks for your ack. We think Yang's patch is right in this
> case. When creating image by command: "qemu-img-xen create -b
> base_image filename -f fmt", if the base_image is in the following
> case as you mentioned:
Thanks for reporting the qemu-img-xen command you were using. I've
reproduced the problem, and I'm about to commit a fix.
The fix makes it impossible to use our qemu-img-xen to create deeper
`nested' cow formats, where the base file is itself a cow image.
Unfortunately this is needed because the way that qemu-img (upstream)
handles its command line arguments doesn't permit the specification of
the image format and (as I explain below) it is wrong to have a
situation where the image format is autoprobed but defaults to raw.
I don't want to carry in our tree the changes necessary to plumb a
format through from the command line.
Xu, Dongxiao writes ("RE: [Xen-devel][PATCH]ioemu:fix up error when
using qemu-img-xen to create img"):
> Ian, could you also help to explain the meaning of "reintroduce the
> image format vulnerability"? Thanks!
Of course. The problem is as follows:
Consider a raw disk image file which is writeable by a guest. (This
is of course one very common usage model.) The guest can write
anything it likes to the image file, including anything to the start
of the file - where the cow header would be if it were a cow file.
So it can, if it likes, write a cow header (qcow2 for example) to the
start of its `virtual disk image'. Qemu's cow headers contain the
pathname of the backing file, and the guest can of course name any
file it likes.
If this image, which is supposedly a raw image, is then opened by any
tool which autoguesses the format, that tool will then spot the cow
header written by the guest and access the backing file (in the
context of the host) specified by the guest.
Depending on the exact circumstances this can allow the guest to get
copies of or even complete read access to any data of its choice in
the host.
Upstream qemu have fixed this problem in a half-hearted way and
evidently their qemu-img is still vulnerable. We have changed the
format-determination code in block.c so that any attempt to autodetect
a format never returns `raw'; that means that any vulnerable code
anywhere is instantly fixed although it may break some existing usages
in cases where we haven't properly plumbed through a specification of
the image format.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|