Re: [PATCH 0/3] Tighten qemu-img rules on missing backing format
On Sat, Feb 22, 2020 at 05:23:38 -0600, Eric Blake wrote:
In the past, we have had CVEs caused by qemu probing one image type
when an image started out as another but the guest was able to modify
content. The solution to those CVEs was to encode backing format
information into qcow2, to ensure that once we make a decision, we
don't have to probe any further. However, we failed to enforce this
at the time. And now that libvirt is switching to -blockdev, it has
come back to bite us: with -block, libvirt had no easy way (other than
s/-block/-drive/ ?
json:{} pseudoprotocol) to force a backing file, but with -blockdev,
"json:{}" is basically -blockdev with extra steps. Old -drive usage
didn't have any way to do that apart from rewriting the image. Which is
basically the same since json:{} also needs to be recorded in the image
to take effect.
libvirt HAS to use blockdev-open on the backing chain and supply a
backing format there, and thus has to probe images. If libvirt ever
probes differently than qemu, we are back to the potential
guest-visible data corruption or potential host CVEs.
As I've elaborated in [1] I disagree with the host CVE part. The
insecure part is not probing the format itself, but probing format AND
using the backing file of the image if we probed format.
I agree that mis-probing format leads to data corruption though.
It's time to deprecate images without backing formats. This
patch
series does two things: 1. record an implicit backing format where one
is learned (although sadly, not all qemu-img commands are able to
learn a format), 2. warn to the user any time a probe had ambiguous
results or a backing format is omitted from an image. All previous
images without a backing format are still usable, but hopefully the
warnings (along with libvirt's complaints about images without a
backing format) help us pinpoint remaining applications that are
It is not a warning in libvirt though. We just refuse it now because we
don't do probing. Previously we allowed qemu to probe the format and the
only thing that prevented host CVEs was if the host used selinux or any
other security approach which would prevent opening the backing file.
creating images on their own without recording a backing format.