From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59107)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlgAg-0006Ac-Ix
	for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:37:32 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlgAa-0007on-Ay
	for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:37:26 -0500
Received: from mx1.redhat.com ([209.132.183.28]:46005)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1XlgAa-0007oX-3h
	for qemu-devel@nongnu.org; Tue, 04 Nov 2014 10:37:20 -0500
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sA4FbIgY007733
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL)
	for <qemu-devel@nongnu.org>; Tue, 4 Nov 2014 10:37:19 -0500
Date: Tue, 4 Nov 2014 16:37:15 +0100
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20141104153715.GG4119@noname.redhat.com>
References: <5452001E.9070907@redhat.com>
	<20141030092722.GB30746@stefanha-thinkpad.redhat.com>
	<20141030093635.GB9097@noname.str.redhat.com>
	<20141031112423.GE10332@stefanha-thinkpad.redhat.com>
	<20141031115639.GD4496@noname.str.redhat.com>
	<878ujs1x6y.fsf@blackfin.pond.sub.org>
	<20141103102510.GB4437@noname.str.redhat.com>
	<20141103150533.GC4609@stefanha-thinkpad.redhat.com>
	<20141104101133.GB4119@noname.redhat.com>
	<20141104152544.GA28330@stefanha-thinkpad.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13"
Content-Disposition: inline
In-Reply-To: <20141104152544.GA28330@stefanha-thinkpad.redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format
 probing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: jcody@redhat.com, Max Reitz <mreitz@redhat.com>, Markus Armbruster <armbru@redhat.com>, qemu-devel@nongnu.org


--St7VIuEGZ6dlpu13
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Am 04.11.2014 um 16:25 hat Stefan Hajnoczi geschrieben:
> On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
> > Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> > > The argument that there might not be a traditional filename doesn't m=
ake
> > > sense to me.  When there is no filename the command-line is already
> > > sufficiently complex and usage is fancy enough that probing adds no
> > > convenience, the user can just specify the format.
> >=20
> > -hda nbd://localhost
> > -drive file=3Dnbd://localhost,format=3Draw
> >=20
> > Almost double the length, and I don't see anything fancy in the first
> > line.
> >=20
> > > Anyway, does this sound reasonable:
> > >=20
> > > In QEMU 3.0, require the format=3D option for -drive.  Keep probing t=
he
> > > way it is for non-drive options because they are used for convenience=
 by
> > > local users.
> >=20
> > And being hacked while using -hda is better in which way?
>=20
> Markus is proposing that we look at the filename extension.  In that
> case QEMU cannot be tricked by the contents of a raw image.
>=20
> That makes -hda perfectly safe although there are cases where QEMU
> doesn't know what to do and requires format=3D.

Wait, by "keep probing the way it is" you mean implementing one of the
other proposals? So you're only suggesting being stricter on -drive as
an additional measure?

> I do worry that changing QEMU's probing behavior drastically can lead to
> consistencies where libvirt does its own probing :(.  Haven't thought
> through the bug scenarios but that could be a security problem in
> itself.

Hm... In which cases does libvirt probe the image format? And is it even
consistent with qemu today?

If you can get libvirt to explicitly pass the wrong format=3D... option
because it did its own probing, we have a problem no matter what we
change in qemu.

Kevin

--St7VIuEGZ6dlpu13
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJUWPKrAAoJEH8JsnLIjy/W3G4P/0RLka09bBfc6nniqddAecwr
Vwl4Z7oAeUYQvfnk0T746Y2j5yRNV0cOv8+O2tEPNL+CbcPGEvlyWkWHNmjdzVy1
R5171FGKiJYzPs706sQi+Yp4S9DH2gp964IcXdGngl0m8KaSO11WuDpWgFByg8Xb
yrSsNNYPFcR1GWuoM/7xf7irU1/etJN3X9IL0ZMeNCtDhSfNzujtTOk+xzRAooon
Kq/KABD7N2Kmzr6gv2duMDDcp7uU2TTlcJtgFRedTHmB1YDW2q3yNS+M9FknfWHA
chs1Y8Kn+pVaBdrFVeDT7PbO7JvaaZ0TAW9KQ4wP9LarD2pn3Mu0D9em6u7NFpKp
yC4PBJj3SiLYK3NaARX7cKDskiQ81qBLv8VT1TnVa1Un0xEaHGWH/ds9H+ENA/Ej
ONlWkG+JyqoHVhMws/WSLsddFrS+OnBJkgYF3or5CUPrt8ojlk6xhDROzvZgsyTi
6H+uOQIvSvBTZMDGR8c5+XLt1HwWUX62NjZHb0kaWz+IaUV8uXW+0xnVrtdZH0BD
xYJygPQ+qkycHB9oqNcbZJOjcV/XRZ3NdqxrVav2S0WtlyCDxM+Jr9TrcdgwqRRv
AUsLaEJ6uvMQZ0Pc5JPUL6FqveketG0Z1EIc6GQh+Dcbgsp+heA8FXdlVIkB27RM
i46Tdcg0osfnyvl8dFS0
=wAVP
-----END PGP SIGNATURE-----

--St7VIuEGZ6dlpu13--