Re: [PATCH v3 4/4] qemu-img: Deprecate use of -b without -F

[Eric Blake]

On 3/9/20 10:31 AM, Kashyap Chamarthy wrote:
> On Fri, Mar 06, 2020 at 04:51:21PM -0600, Eric Blake wrote:
> > Creating an image that requires format probing of the backing image is
> > inherently unsafe (we've had several CVEs over the years based on

> > +qemu-img backing file without format (since 5.0.0)
> > +''''''''''''''''''''''''''''''''''''''''''''''''''
> > +
> > +The use of ``qemu-img create``, ``qemu-img rebase``, ``qemu-img
> > +convert``, or ``qemu-img amend`` to create or modify an image that
> > +depends on a backing file now recommends that an explicit backing
> > +format be provided.  This is for safety: if qemu probes a different
> > +format than what you thought, the data presented to the guest will be
> > +corrupt; similarly, presenting a raw image to a guest allows a
> > +potential security exploit if a future probe sees a non-raw image
> > +based on guest writes.  To avoid the warning message, or even future
> > +refusal to create an unsafe image, you must pass ``-o backing_fmt=``
> > +(or the shorthand ``-F`` during create) to specify the intended
> > +backing format.  You may use ``qemu-img rebase -u`` to retroactively
> > +add a backing format to an existing image.  However, be aware that
> > +there are already potential security risks to blindly using ``qemu-img
> > +info`` to probe the format of an untrusted backing image, when
> > +deciding what format to add into an existing image.
>
> Nit: s/qemu/QEMU/g/
>
> Ultra Nit: should this paragraph be broken down into two?  Experience
> tells people usually feel deterred read "substantial paragraphs" :-)

Shoot, I missed incorporating this comment during my v4 posting. It's 
now changed in my local tree, but I'll hold off on a v5 unless other 
review warrants it.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org