Why cannot HVM open a file as a floopy disk?

Why cannot HVM open a file as a floopy disk?

[Akio Takebe]

Hi, Ian

I found a issue which we cannot open a file as a floppy disk in HVM guest.
If I specify fda="/dev/null", I can boot the HVM guest.
But if I specify fda="/root/floppy.img",
I cannot boot the HVM guest and xend hungs up.

I found your patch of 8e45e56e7c20e2918c2141a11134c217aa30b07e of ioemu-remote.
The cause is the following part.
============================================================================
 static BlockDriver *find_protocol(const char *filename)
 {
+    /* Return values:
+     *   &bdrv_xxx
+     *      filename specifies protocol xxx
+     *      caller should use that
+     *   NULL                    filename does not specify any protocol
+     *       caller may apply their own default
+     *   &bdrv_invalid_protocol  filename speciies an unknown protocol
+     *       caller should return -ENOENT; or may just try to open with
+     *       that bdrv, which always fails that way.
+     */
     BlockDriver *drv1;
     char protocol[128];
     int len;
@@ -240,7 +260,7 @@ static BlockDriver *find_protocol(const char *filename)
 #endif
     p = strchr(filename, ':');
     if (!p)
-        return &bdrv_raw;
+        return NULL;       <<<<<<***HERE***
     len = p - filename;
     if (len > sizeof(protocol) - 1)
         len = sizeof(protocol) - 1;
@@ -251,7 +271,7 @@ static BlockDriver *find_protocol(const char *filename)
             !strcmp(drv1->protocol_name, protocol))
             return drv1;
     }
-    return NULL;
+    return &bdrv_invalid_protocol;
 }
============================================================================

qemu-dm fails because find_protocol() doesn't return "raw" format.
Why did you need to change the line?
If it's not necessary, is the following patch acceptable?

Signed-off-by: Akio Takebe <takebe_akio@jp.fujitsu.com>

Best Regards,

Akio Takebe

---
diff --git a/block.c b/block.c
index 36f5eb9..0c0c1a5 100644
--- a/block.c
+++ b/block.c
@@ -262,7 +262,7 @@ static BlockDriver *find_protocol(const char *filename)
 #endif
     p = strchr(filename, ':');
     if (!p)
-        return NULL;
+        return &bdrv_raw;
     len = p - filename;
     if (len > sizeof(protocol) - 1)
         len = sizeof(protocol) - 1;

Re: Why cannot HVM open a file as a floopy disk?

[Ian Jackson]

Akio Takebe writes ("[Xen-devel] Why cannot HVM open a file as a floopy disk?"):
> I found a issue which we cannot open a file as a floppy disk in HVM guest.
> If I specify fda="/dev/null", I can boot the HVM guest.
> But if I specify fda="/root/floppy.img",
> I cannot boot the HVM guest and xend hungs up.

Unfortunately, it is not possible to autodetect raw formats safely.

> Why did you need to change the line?
> If it's not necessary, is the following patch acceptable?

Here is a description of the problem which my patch fixes:

  Consider a raw disk image file which is writeable by a guest.  (This
  is of course one very common usage model.)  The guest can write
  anything it likes to the image file, including anything to the start
  of the file - where the cow header would be if it were a cow file.

  So it can, if it likes, write a cow header (qcow2 for example) to the
  start of its `virtual disk image'.  Qemu's cow headers contain the
  pathname of the backing file, and the guest can of course name any
  file it likes.

  If this image, which is supposedly a raw image, is then opened by any
  tool which autoguesses the format, that tool will then spot the cow
  header written by the guest and access the backing file (in the
  context of the host) specified by the guest.

  Depending on the exact circumstances this can allow the guest to get
  copies of or even complete read access to any data of its choice in
  the host.

  Upstream qemu have fixed this problem in a half-hearted way and
  evidently their qemu-img is still vulnerable.  We have changed the
  format-determination code in block.c so that any attempt to autodetect
  a format never returns `raw'; that means that any vulnerable code
  anywhere is instantly fixed although it may break some existing usages
  in cases where we haven't properly plumbed through a specification of
  the image format.

Does anyone use Xen with non-raw floppy disk images in disk files ?
If not then we can fix the problem by having the floppy driver device
model explictly specify bdrv_raw to the block layer, eliminating the
format auto-gessing.

Ian.

Re: Why cannot HVM open a file as a floopy disk?

[Akio Takebe]

Hi, Ian

Ian Jackson wrote:
> Akio Takebe writes ("[Xen-devel] Why cannot HVM open a file as a floopy disk?"):
>> I found a issue which we cannot open a file as a floppy disk in HVM guest.
>> If I specify fda="/dev/null", I can boot the HVM guest.
>> But if I specify fda="/root/floppy.img",
>> I cannot boot the HVM guest and xend hungs up.
> 
> Unfortunately, it is not possible to autodetect raw formats safely.
> 
>> Why did you need to change the line?
>> If it's not necessary, is the following patch acceptable?
> 
> Here is a description of the problem which my patch fixes:
> 
>   Consider a raw disk image file which is writeable by a guest.  (This
>   is of course one very common usage model.)  The guest can write
>   anything it likes to the image file, including anything to the start
>   of the file - where the cow header would be if it were a cow file.
> 
>   So it can, if it likes, write a cow header (qcow2 for example) to the
>   start of its `virtual disk image'.  Qemu's cow headers contain the
>   pathname of the backing file, and the guest can of course name any
>   file it likes.
> 
>   If this image, which is supposedly a raw image, is then opened by any
>   tool which autoguesses the format, that tool will then spot the cow
>   header written by the guest and access the backing file (in the
>   context of the host) specified by the guest.
> 
>   Depending on the exact circumstances this can allow the guest to get
>   copies of or even complete read access to any data of its choice in
>   the host.
> 
>   Upstream qemu have fixed this problem in a half-hearted way and
>   evidently their qemu-img is still vulnerable.  We have changed the
>   format-determination code in block.c so that any attempt to autodetect
>   a format never returns `raw'; that means that any vulnerable code
>   anywhere is instantly fixed although it may break some existing usages
>   in cases where we haven't properly plumbed through a specification of
>   the image format.
> 
> Does anyone use Xen with non-raw floppy disk images in disk files ?
> If not then we can fix the problem by having the floppy driver device
> model explictly specify bdrv_raw to the block layer, eliminating the
> format auto-gessing.
> 
Thank you very much for your elaborating.
We usually use /dev/floppy of dom0 as floppy disk of guest.
So a raw format floppy disk is not important.
The restriction is reasonable, but xend would need to be fixed because it hangup.
Also I concern about a emulate ide disk of the raw format.
Is it also vulnerable?

Best Regards,

Akio Takebe

Re: Why cannot HVM open a file as a floopy disk?

[Ian Jackson]

Akio Takebe writes ("Re: [Xen-devel] Why cannot HVM open a file as a floopy disk?"):
> Thank you very much for your elaborating.
> We usually use /dev/floppy of dom0 as floppy disk of guest.

Right, and the code specifically checks whether the backing object in
dom0 is a block device, and if so treats it unconditionally as raw.

> So a raw format floppy disk is not important.

I'm not sure what you're saying ?  I asked:
  Does anyone use Xen with non-raw floppy disk images in disk files ?

> The restriction is reasonable, but xend would need to be fixed
> because it hangup.

The error handling is appallingly bad, I'm afraid.

> Also I concern about a emulate ide disk of the raw format.
> Is it also vulnerable?

No, there are no vulnerabilities of this kind in our tree - precisely
because of the refusal of the format-guessing algorithm to return
`raw', which is a change I introduced.  The effect is that any attempt
to provide a raw image, in circumstances where the code attempts to
guess the format, fails.

In upstream qemu the default configuration is vulnerable, I think, for
most block devices, but I haven't double-checked the latest code.  On
the other hand in general in recent upstream qemu it is always
possible to specify the format, elminating the problem.

Ian.

Re: Why cannot HVM open a file as a floopy disk?

[Akio Takebe]

>Akio Takebe writes ("Re: [Xen-devel] Why cannot HVM open a file as a floopy 
>disk?"):
>> Thank you very much for your elaborating.
>> We usually use /dev/floppy of dom0 as floppy disk of guest.
>
>Right, and the code specifically checks whether the backing object in
>dom0 is a block device, and if so treats it unconditionally as raw.
>
>> So a raw format floppy disk is not important.
>
>I'm not sure what you're saying ?  I asked:
>  Does anyone use Xen with non-raw floppy disk images in disk files ?
I thought /dev/floppy is treated as bdrv_host_device
rather than bdrv_raw.
Does raw format mean both bdrv_host_device and bdrv_raw?

>
>> The restriction is reasonable, but xend would need to be fixed
>> because it hangup.
>
>The error handling is appallingly bad, I'm afraid.
>
>> Also I concern about a emulate ide disk of the raw format.
>> Is it also vulnerable?
>
>No, there are no vulnerabilities of this kind in our tree - precisely
>because of the refusal of the format-guessing algorithm to return
>`raw', which is a change I introduced.  The effect is that any attempt
>to provide a raw image, in circumstances where the code attempts to
>guess the format, fails.
>
>In upstream qemu the default configuration is vulnerable, I think, for
>most block devices, but I haven't double-checked the latest code.  On
>the other hand in general in recent upstream qemu it is always
>possible to specify the format, elminating the problem.
Thank you, I understand.

Best Regards,

Akio Takebe