[PATCH v2 3/3] qemu-img: Deprecate use of -b without -F

Ján Tomko jtomko at redhat.com
Thu Feb 27 09:43:14 UTC 2020


On a Wednesday in 2020, Eric Blake wrote:
>Creating an image that requires format probing of the backing image is
>inherently unsafe (we've had several CVEs over the years based on
>probes leaking information to the guest on a subsequent boot).  If our
>probing algorithm ever changes, or if other tools like libvirt
>determine a different probe result than we do, then subsequent use of
>that backing file under a different format will present corrupted data
>to the guest.  Start a deprecation clock so that future qemu-img can
>refuse to create unsafe backing chains that would rely on probing.
>
>However, there is one time where probing is safe: if we probe raw,
>then it is safe to record that implicitly in the image (but we still
>warn, as it's better to teach the user to supply -F always than to
>make them guess when it is safe).
>
>iotest 114 specifically wants to create an unsafe image for later
>amendment rather than defaulting to our new default of recording a
>probed format, so it needs an update.
>
>Signed-off-by: Eric Blake <eblake at redhat.com>
>---
> qemu-deprecated.texi       | 15 +++++++++++++++
> block.c                    | 21 ++++++++++++++++++++-
> qemu-img.c                 |  8 +++++++-
> tests/qemu-iotests/114     |  4 ++--
> tests/qemu-iotests/114.out |  1 +
> 5 files changed, 45 insertions(+), 4 deletions(-)
>

This seems to affect code paths that are used even outside of qemu-img,
should the commit message mention it?

Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200227/eb9a6a10/attachment-0001.sig>


More information about the libvir-list mailing list