On 03/24/2015 02:37 AM, Paolo Bonzini wrote: >> The option sets bdrv_image_probing_disabled in a straightforward manner, >> and bdrv_image_probing_disabled guards the probing code in an equally >> straightforward manner. > > But what about migration from newer to older QEMU? Libvirt even > supports QEMU versions where the only way to specify disks is "-hda > XYZ", so it is _impossible_ to honor the format=raw specifier.
No one migrates from new qemu with this option back to a qemu version that old. Libvirt continues to drive old qemu, but driving old qemu is different than migrating to old qemu. And this feature is introspectible, so libvirt knows when to use it and when to avoid it. Furthermore, libvirt already has a knob in /etc/libvirt/qemu.conf to enable probing - if this command line option ever gets in the way, a one-line change to that conf file will tell libvirt to quit using it. > > Also, libvirt can start qemu-nbd and doesn't force format=raw in that > case. So the protection is far from complete. This reinforces my Sounds like we have a bug to fix in libvirt. > opinion that the false sense of safety provided by this patch is worse > than the "insurance" against future CVEs (also, have there been any > actual libvirt CVEs about this after 2010? near misses don't count IMHO). CVE-2011-2178 (http://security.libvirt.org/2011/0003.html). And more recently, I argued that http://security.libvirt.org/2014/0006.html should have been a CVE; it was no near miss (in the wild for several months), and the only reason I did not win my case for making it a CVE was because of the qemu.conf default setting. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature