[adding libvirt-security]
On 05/29/2015 05:29 AM, John Ferlan wrote:
On 05/26/2015 09:01 AM, Michal Privoznik wrote:
> When playing with disk migration lately, I've noticed this warning in
> domain logs:
>
> WARNING: Image format was not specified for
'nbd://masina:49153/drive-virtio-disk0' and probing guessed raw.
> Automatically detecting the format is dangerous for raw images, write
operations on block 0 will be restricted.
> Specify the 'raw' format explicitly to remove the restrictions.
Ouch. On first reading this, I was worried that we had a repeat of qemu
CVE-2008-2004 or libvirt CVE-2010-2239 on our hands, where undesired
probing can cause a guest to behave incorrectly.
However, I _think_ that in this case we are safe. The probe in this
instance is to a just-created NBD volume (that is, libvirt created it,
not the end user) and it is completely blank (we have not yet mirrored
into it) so it will always probe as raw (the probe cannot guess wrong
unless there is data in sector 0 that resembles some other disk type).
So, I think that we have dodged needing a CVE.
>
> So I started digging into qemu source code to see what has triggered
> the warning. I'd expect qemu to know formats of guest's disks since we
> tell them on command line. This lead me to qmp_drive_mirror() where
> the following can be found:
>
> if (!has_format) {
> format = mode == NEW_IMAGE_MODE_EXISTING ? NULL :
bs->drv->format_name;
> }
That's correct for local file mirroring. But for NBD mirroring, I think
we want to force "raw" and NOT reuse the source formatting, even when
the destination file will be qcow2. Remember, the whole point of
setting up an NBD mirror is that the local file on the destination side
is created as the same format as the source (let's assume qcow2), then
NBD is started to serve up the guest-visible contents of that file as
raw. We want to mirror the guest-visible contents from the source to
the destination using ONLY raw data (and the NBD server on the
destination is then mapping that raw data back into the qcow2 format on
the destination file).
>
> So, format is automatically initialized from the disk iff mode !=
> "existing". Unfortunately, in migration we are tied to use this mode
> (NBD doesn't support creating new images). Therefore the only way to
> avoid this warning is to pass format. The format that libvirt thinks
> should be in sync with qemu anyway.
>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
> src/qemu/qemu_migration.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
NACK to this change; instead, qemu_migration.c should pass "raw" instead
of NULL.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org