WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Why cannot HVM open a file as a floopy disk?

To: Akio Takebe <takebe_akio@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Why cannot HVM open a file as a floopy disk?
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 16 Jun 2009 16:10:58 +0100
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 16 Jun 2009 08:11:33 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4A2F31FB.6040308@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Newsgroups: chiark.mail.xen.devel
References: <4A2F31FB.6040308@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Akio Takebe writes ("[Xen-devel] Why cannot HVM open a file as a floopy disk?"):
> I found a issue which we cannot open a file as a floppy disk in HVM guest.
> If I specify fda="/dev/null", I can boot the HVM guest.
> But if I specify fda="/root/floppy.img",
> I cannot boot the HVM guest and xend hungs up.

Unfortunately, it is not possible to autodetect raw formats safely.

> Why did you need to change the line?
> If it's not necessary, is the following patch acceptable?

Here is a description of the problem which my patch fixes:

  Consider a raw disk image file which is writeable by a guest.  (This
  is of course one very common usage model.)  The guest can write
  anything it likes to the image file, including anything to the start
  of the file - where the cow header would be if it were a cow file.

  So it can, if it likes, write a cow header (qcow2 for example) to the
  start of its `virtual disk image'.  Qemu's cow headers contain the
  pathname of the backing file, and the guest can of course name any
  file it likes.

  If this image, which is supposedly a raw image, is then opened by any
  tool which autoguesses the format, that tool will then spot the cow
  header written by the guest and access the backing file (in the
  context of the host) specified by the guest.

  Depending on the exact circumstances this can allow the guest to get
  copies of or even complete read access to any data of its choice in
  the host.

  Upstream qemu have fixed this problem in a half-hearted way and
  evidently their qemu-img is still vulnerable.  We have changed the
  format-determination code in block.c so that any attempt to autodetect
  a format never returns `raw'; that means that any vulnerable code
  anywhere is instantly fixed although it may break some existing usages
  in cases where we haven't properly plumbed through a specification of
  the image format.

Does anyone use Xen with non-raw floppy disk images in disk files ?
If not then we can fix the problem by having the floppy driver device
model explictly specify bdrv_raw to the block layer, eliminating the
format auto-gessing.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel