[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --mi
|
From: |
Markus Armbruster |
|
Subject: |
Re: [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --misc format-probing=off |
|
Date: |
Mon, 23 Mar 2015 21:42:37 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
Paolo Bonzini <address@hidden> writes:
> On 23/03/2015 11:04, Markus Armbruster wrote:
>> Probing is convenient, but probing untrusted raw images is insecure
>> (CVE-2008-2004). To avoid it, users should always specify raw format
>> explicitly. This isn't trivial, and even sophisticated users have
>> gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239,
>> plus more recent variations of the theme that didn't get CVEs because
>> they were caught before they could hurt users).
>>
>> Disabling probing entirely is a (hamfisted) way to ensure you always
>> specify the format.
>>
>> Instead of creating yet another simple option that doesn't work with
>> -readconfig, create a "misc" option group and --misc command line
>> option. We're out of space in vm_config_groups[], so double it.
>>
>> This will let us make existing miscellaneous non-QemeOpts options
>> sugar for --misc, so they become available with -readconfig. Left for
>> another day.
>
> Which exactly? Could they fit into another scheme? (See how
> -mem-prealloc was replaced and generalized by memory-backend-* objects).
>
> For example, -win2k-install-hack should really be an IDE disk property
> that can be set with -global, and many other options could be machine or
> display options.
>
> I don't think it's the right solution. Libvirt knows where to add a
> format=raw option, and it can do it without waiting for QEMU to
> implement this. Direct command-line users are not going to use the
> option anyway.
Two separate bones of contention here:
1. Do we want to give libvirt the bug insurance it wants?
2. Is --misc sane?
We're discussing 1. elsewhere already.
Regarding 2.: if anyone has a better idea on how to do the command line
switch, I'm all ears.
Eyeballing vl.c, I suspect these options don't use QemuOpts, thus don't
support -readconfig:
nodefconfig
nouserconfig
cpu
snapshot
display
nographic
curses
portrait
rotate
no-fd-bootchk
tftp
bootp
redir
audio_help
soundhw
help
version
mempath
mem-prealloc
d
D
s
L
singlestep
S
k
localtime
vga
g
echr
watchdog
watchdog-action
loadvm
full-screen
no-frame
alt-grab
ctrl-grab
no-quit
sdl
pidfile
win2k-hack
rtc-td-hack
no-kvm-pit-reinjection
no-acpi
no-hpet
no-reboot
no-shutdown
show-cursor
uuid
semihosting
prom-env
startdate
tb-size
incoming
nodefaults
xen-domid
xen-attach
qtest
qtest-log
dump-vmstate
smb
runas
chroot
daemonize
enable-fips
Unless we stop adding more, we'll never get --readconfig reasonably
complete.
>
> So for today we're 1-1 on NACKs. :D
I NACKed something today?
All I remember is advising to disable sdhci-pci instead of changing how
it's hacked up.