Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing

[Stefan Hajnoczi]

On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote:
> Stefan Hajnoczi <address@hidden> writes:
> 
> > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
> >> Kevin Wolf <address@hidden> writes:
> >> 
> >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
> >> > Instead, let me try once more to sell my old proposal [1] from the
> >> > thread you mentioned:
> >> >
> >> >> What if we let the raw driver know that it was probed and then it
> >> >> enables a check that returns -EIO for any write on the first 2k if that
> >> >> write would make the image look like a different format?
> >> >
> >> > Attacks the problem where it arises instead of trying to detect the
> >> > outcome of it, and works in whatever way it is nested in the BDS graph
> >> > and whatever way is used to address the image file.
> >
> > I think this is too clever.  It's another thing to debug if a guest
> > starts hitting EIO.
> >
> > My opinion on probing is: it's ugly but let's leave it for QEMU 3.0 at
> > which point we implement Markus solution with exit(1).
> 
> I regard my patch as a necessary preliminary step for that.  Warn now,
> change behavior a couple of releases later.  When exactly is debatable.
> 
> > In the meantime the CVE has been known for a long time so vulnerable
> > users (VM hosting, cloud, etc) have the information they need.  Many are
> > automatically protected by libvirt.
> 
> The warning hopefully helps libvirt developers with keeping libvirt
> users fully protected.

I'm happy with this approach (haven't reviewed the patches in detail
yet).

Stefan

pgpKW_mnUV4pb.pgp
Description: PGP signature