[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel][PATCH]ioemu:fix up error when using qemu-img-xen to create img
Xu, Dongxiao writes ("RE: [Xen-devel][PATCH]ioemu:fix up error when using qemu-img-xen to create img"): > Thanks for your ack. We think Yang's patch is right in this > case. When creating image by command: "qemu-img-xen create -b > base_image filename -f fmt", if the base_image is in the following > case as you mentioned: Thanks for reporting the qemu-img-xen command you were using. I've reproduced the problem, and I'm about to commit a fix. The fix makes it impossible to use our qemu-img-xen to create deeper `nested' cow formats, where the base file is itself a cow image. Unfortunately this is needed because the way that qemu-img (upstream) handles its command line arguments doesn't permit the specification of the image format and (as I explain below) it is wrong to have a situation where the image format is autoprobed but defaults to raw. I don't want to carry in our tree the changes necessary to plumb a format through from the command line. Xu, Dongxiao writes ("RE: [Xen-devel][PATCH]ioemu:fix up error when using qemu-img-xen to create img"): > Ian, could you also help to explain the meaning of "reintroduce the > image format vulnerability"? Thanks! Of course. The problem is as follows: Consider a raw disk image file which is writeable by a guest. (This is of course one very common usage model.) The guest can write anything it likes to the image file, including anything to the start of the file - where the cow header would be if it were a cow file. So it can, if it likes, write a cow header (qcow2 for example) to the start of its `virtual disk image'. Qemu's cow headers contain the pathname of the backing file, and the guest can of course name any file it likes. If this image, which is supposedly a raw image, is then opened by any tool which autoguesses the format, that tool will then spot the cow header written by the guest and access the backing file (in the context of the host) specified by the guest. Depending on the exact circumstances this can allow the guest to get copies of or even complete read access to any data of its choice in the host. Upstream qemu have fixed this problem in a half-hearted way and evidently their qemu-img is still vulnerable. We have changed the format-determination code in block.c so that any attempt to autodetect a format never returns `raw'; that means that any vulnerable code anywhere is instantly fixed although it may break some existing usages in cases where we haven't properly plumbed through a specification of the image format. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |