[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass



Markus Armbruster writes ("Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk 
Format Security Bypass"):
> I'm looking at xen-unstable cset 17606 and 17646.  If I understand
> your patches correctly, you attack the security problem in two places:
> 
> (1) make format probing never return raw, and

Right.  That's a safety catch so that there's no vulnerability in any
cases I missed, of which I was definitely expecting some.

> (2) provide means to specify the format explicitly, bypassing probing.
> 
> You put (2) in xenstore_parse_domain_config().  I can see how that
> works for block devices defined in the domain configuration.  But what
> about USB disks?  I created a guest with the following settings:
...
> The -usbdevice argument is ultimately processed by usb_device_add(),
> which calls usb_msd_init() to do the real work.  I think we get (1),
> but not (2) there, i.e. your change breaks raw format USB disks.

That's quite likely.  I hadn't spotted that separate arrangement.  The
best thing to do would be probably be to cross-port the format
parameter code which upstream have introduced in this area to (mostly)
fix the bug in their version.  I'll look into it.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.