From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47727) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YZzEZ-0002jM-UU for qemu-devel@nongnu.org; Mon, 23 Mar 2015 06:05:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YZzEV-0005Ba-FE for qemu-devel@nongnu.org; Mon, 23 Mar 2015 06:05:23 -0400 From: Markus Armbruster Date: Mon, 23 Mar 2015 11:04:59 +0100 Message-Id: <1427105099-12889-2-git-send-email-armbru@redhat.com> In-Reply-To: <1427105099-12889-1-git-send-email-armbru@redhat.com> References: <1427105099-12889-1-git-send-email-armbru@redhat.com> Subject: [Qemu-devel] [PATCH for-2.3 1/1] block: New command line option --misc format-probing=off List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kwolf@redhat.com, stefanha@redhat.com, qemu-block@nongnu.org, mreitz@redhat.com Probing is convenient, but probing untrusted raw images is insecure (CVE-2008-2004). To avoid it, users should always specify raw format explicitly. This isn't trivial, and even sophisticated users have gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239, plus more recent variations of the theme that didn't get CVEs because they were caught before they could hurt users). Disabling probing entirely is a (hamfisted) way to ensure you always specify the format. Instead of creating yet another simple option that doesn't work with -readconfig, create a "misc" option group and --misc command line option. We're out of space in vm_config_groups[], so double it. This will let us make existing miscellaneous non-QemeOpts options sugar for --misc, so they become available with -readconfig. Left for another day. Signed-off-by: Markus Armbruster --- block.c | 6 ++++++ include/block/block.h | 2 ++ qemu-options.hx | 15 +++++++++++++++ util/qemu-config.c | 2 +- vl.c | 22 ++++++++++++++++++++++ 5 files changed, 46 insertions(+), 1 deletion(-) diff --git a/block.c b/block.c index 0fe97de..fe65aeb 100644 --- a/block.c +++ b/block.c @@ -103,6 +103,7 @@ static void bdrv_reset_dirty(BlockDriverState *bs, int64_t cur_sector, int nr_sectors); /* If non-zero, use only whitelisted block drivers */ static int use_bdrv_whitelist; +bool bdrv_image_probing_disabled; #ifdef _WIN32 static int is_windows_drive_prefix(const char *filename) @@ -751,6 +752,11 @@ static int find_image_format(BlockDriverState *bs, const char *filename, return ret; } + if (bdrv_image_probing_disabled) { + error_setg(errp, "Format not specified and image probing disabled"); + return -EINVAL; + } + ret = bdrv_pread(bs, 0, buf, sizeof(buf)); if (ret < 0) { error_setg_errno(errp, -ret, "Could not read image for determining its " diff --git a/include/block/block.h b/include/block/block.h index 4c57d63..3485b9b 100644 --- a/include/block/block.h +++ b/include/block/block.h @@ -162,6 +162,8 @@ typedef enum BlockOpType { BLOCK_OP_TYPE_MAX, } BlockOpType; +extern bool bdrv_image_probing_disabled; + void bdrv_iostatus_enable(BlockDriverState *bs); void bdrv_iostatus_reset(BlockDriverState *bs); void bdrv_iostatus_disable(BlockDriverState *bs); diff --git a/qemu-options.hx b/qemu-options.hx index 319d971..b6cdae2 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -963,6 +963,21 @@ STEXI Disable SDL window close capability. ETEXI +DEF("misc", HAS_ARG, QEMU_OPTION_misc, + "-misc [format-probing=on|off]\n", QEMU_ARCH_ALL) +STEXI +@item -misc +@findex -misc @var{name}[=@var{value},... +Miscellaneous settings: +@table @option +@item format-probing=on|off +Enable or disable block image format probing. Default is enable. +Probing is convenient, but probing untrusted raw images is insecure. +To avoid it, always specify raw format explicitly. Disabling probing +entirely is a (hamfisted) way to ensure you do. +@end table +ETEXI + DEF("sdl", 0, QEMU_OPTION_sdl, "-sdl enable SDL\n", QEMU_ARCH_ALL) STEXI diff --git a/util/qemu-config.c b/util/qemu-config.c index f3463df..a35cb32 100644 --- a/util/qemu-config.c +++ b/util/qemu-config.c @@ -7,7 +7,7 @@ #include "qapi/error.h" #include "qmp-commands.h" -static QemuOptsList *vm_config_groups[32]; +static QemuOptsList *vm_config_groups[64]; static QemuOptsList *drive_config_groups[4]; static QemuOptsList *find_list(QemuOptsList **lists, const char *group, diff --git a/vl.c b/vl.c index 75ec292..991d86c 100644 --- a/vl.c +++ b/vl.c @@ -490,6 +490,18 @@ static QemuOptsList qemu_semihosting_config_opts = { }, }; +static QemuOptsList qemu_misc_opts = { + .name = "misc", + .head = QTAILQ_HEAD_INITIALIZER(qemu_misc_opts.head), + .desc = { + { + .name = "format-probing", + .type = QEMU_OPT_BOOL, + }, + { /* end of list */ } + }, +}; + /** * Get machine options * @@ -2806,6 +2818,7 @@ int main(int argc, char **argv, char **envp) qemu_add_opts(&qemu_numa_opts); qemu_add_opts(&qemu_icount_opts); qemu_add_opts(&qemu_semihosting_config_opts); + qemu_add_opts(&qemu_misc_opts); runstate_init(); @@ -3381,6 +3394,12 @@ int main(int argc, char **argv, char **envp) case QEMU_OPTION_no_quit: no_quit = 1; break; + case QEMU_OPTION_misc: + opts = qemu_opts_parse(qemu_find_opts("misc"), optarg, 0); + if (!opts) { + exit(1); + } + break; case QEMU_OPTION_sdl: #ifdef CONFIG_SDL display_type = DT_SDL; @@ -4158,6 +4177,9 @@ int main(int argc, char **argv, char **envp) } /* open the virtual block devices */ + bdrv_image_probing_disabled = + !qemu_opt_get_bool(qemu_opts_find(qemu_find_opts("misc"), NULL), + "format-probing", true); if (snapshot) qemu_opts_foreach(qemu_find_opts("drive"), drive_enable_snapshot, NULL, 0); if (qemu_opts_foreach(qemu_find_opts("drive"), drive_init_func, -- 1.9.3