[PATCH v3 4/4] qemu-img: Deprecate use of -b without -F
Eric Blake
eblake at redhat.com
Fri Mar 13 18:20:53 UTC 2020
On 3/9/20 10:31 AM, Kashyap Chamarthy wrote:
> On Fri, Mar 06, 2020 at 04:51:21PM -0600, Eric Blake wrote:
>> Creating an image that requires format probing of the backing image is
>> inherently unsafe (we've had several CVEs over the years based on
>>
>> +qemu-img backing file without format (since 5.0.0)
>> +''''''''''''''''''''''''''''''''''''''''''''''''''
>> +
>> +The use of ``qemu-img create``, ``qemu-img rebase``, ``qemu-img
>> +convert``, or ``qemu-img amend`` to create or modify an image that
>> +depends on a backing file now recommends that an explicit backing
>> +format be provided. This is for safety: if qemu probes a different
>> +format than what you thought, the data presented to the guest will be
>> +corrupt; similarly, presenting a raw image to a guest allows a
>> +potential security exploit if a future probe sees a non-raw image
>> +based on guest writes. To avoid the warning message, or even future
>> +refusal to create an unsafe image, you must pass ``-o backing_fmt=``
>> +(or the shorthand ``-F`` during create) to specify the intended
>> +backing format. You may use ``qemu-img rebase -u`` to retroactively
>> +add a backing format to an existing image. However, be aware that
>> +there are already potential security risks to blindly using ``qemu-img
>> +info`` to probe the format of an untrusted backing image, when
>> +deciding what format to add into an existing image.
>
> Nit: s/qemu/QEMU/g/
>
> Ultra Nit: should this paragraph be broken down into two? Experience
> tells people usually feel deterred read "substantial paragraphs" :-)
Shoot, I missed incorporating this comment during my v4 posting. It's
now changed in my local tree, but I'll hold off on a v5 unless other
review warrants it.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list