On Thu, Aug 14, 2014 at 10:42:27AM -0400, Levente Kurusa wrote: > On Tuesday, 12 August, 2014 3:35:42 PM, Jeff Cody wrote: > > On Tue, Aug 12, 2014 at 02:20:34PM +0100, Stefan Hajnoczi wrote: > > > On Fri, Aug 01, 2014 at 03:39:58PM +0200, Levente Kurusa wrote: > > > > Fixed size VPC images do not have a footer, hence the current probe > > > > function will fail and QEMU will fall back to the raw_bsd driver, which > > > > is > > > > not the correct behaviour. The specification of the format says that > > > > fixed > > > > size images have a footer as the last 512 bytes of the file. The footer > > > > is > > > > exactly the same as the header would be in the case of dynamically > > > > growing > > > > images. > > > > > > > > For this, we need to read the last 512 bytes of the image, however the > > > > current mechanics predominantly read the first 2048 bytes and pass that > > > > as a buffer to the probe functions. Solve this by passing the > > > > BlockDriverState to the probe functions, hence giving them a chance to > > > > read > > > > the extra bytes they might need. > > > > > > I hesitate to add patches that extend image format probing. For the > > > past few years we have always recommended that image files should not be > > > probed. > > > > > > Image probing is prone to security issues because a malicious guest can > > > modify a raw or vpc image by putting another image format header at > > > sector 0. The next time QEMU opens the image it will detect a different > > > format. One evil trick is to refer to a file on the host file system as > > > the backing file, now you can read any file that the QEMU process has > > > access to. > > Yea, good point. The current state of probing is actually quite bad, > just take a look at dmg_probe in block/dmg.c :-( > > > > > > > Probing also complicates live migration. The source host still has the > > > image file open and may write to it. The destination host shouldn't > > > even read from the image file before handover to avoid file cache > > > coherency issues. > > > > > > Probing is broken. It shouldn't be used. We shouldn't extend it > > > (especially by adding more I/Os). > > Even though, my series would have only added one extra I/O in the case > of failing VPC images, I have to admit you are right. > > > > > For 2.2, maybe we should limit probing to only certain operations (e.g. > > qemu-img info) - or perhaps just remove the capability altogether, or > > at least start phasing it out with a warning message that automatic > > format detection is deprecated and may be unsafe. > > > > Considering the fact that most open functions already check the magic > numbers, and they do a lot better/safer job at it, we could just swap > the probe functions with the open ones and just insert an fprintf > when format is not specified doing what Jeff suggested. > > Any objections to this? > > (This would also solve the VPC-fixed-size bug, since vpc_open already > checks the footer if the header is not found) >
I was proposing actually going a bit further than this, and not allowing automatic format detection at all, with an exception for 'qemu-img info'. In the interim, until that is in place and it is removed, warn with a deprecation message. Using the open function, while a bit more robust, still doesn't prevent a raw image from masquerading as a file format - particularly from a malevolent guest, as Stefan pointed out. It just means the malicious guest has to put forth minor effort in getting the metadata correct. I'm not sure it is worth the effort to overhaul the probe system this way, rather than just warn about deprecation, and eventually remote it altogether.