qemu/block
Kevin Wolf 38f3ef574b raw: Prohibit dangerous writes for probed images
If the user neglects to specify the image format, QEMU probes the
image to guess it automatically, for convenience.

Relying on format probing is insecure for raw images (CVE-2008-2004).
If the guest writes a suitable header to the device, the next probe
will recognize a format chosen by the guest.  A malicious guest can
abuse this to gain access to host files, e.g. by crafting a QCOW2
header with backing file /etc/shadow.

Commit 1e72d3b (April 2008) provided -drive parameter format to let
users disable probing.  Commit f965509 (March 2009) extended QCOW2 to
optionally store the backing file format, to let users disable backing
file probing.  QED has had a flag to suppress probing since the
beginning (2010), set whenever a raw backing file is assigned.

All of these additions that allow to avoid format probing have to be
specified explicitly. The default still allows the attack.

In order to fix this, commit 79368c8 (July 2010) put probed raw images
in a restricted mode, in which they wouldn't be able to overwrite the
first few bytes of the image so that they would identify as a different
image. If a write to the first sector would write one of the signatures
of another driver, qemu would instead zero out the first four bytes.
This patch was later reverted in commit 8b33d9e (September 2010) because
it didn't get the handling of unaligned qiov members right.

Today's block layer that is based on coroutines and has qiov utility
functions makes it much easier to get this functionality right, so this
patch implements it.

The other differences of this patch to the old one are that it doesn't
silently write something different than the guest requested by zeroing
out some bytes (it fails the request instead) and that it doesn't
maintain a list of signatures in the raw driver (it calls the usual
probe function instead).

Note that this change doesn't introduce new breakage for false positive
cases where the guest legitimately writes data into the first sector
that matches the signatures of an image format (e.g. for nested virt):
These cases were broken before, only the failure mode changes from
corruption after the next restart (when the wrong format is probed) to
failing the problematic write request.

Also note that like in the original patch, the restrictions only apply
if the image format has been guessed by probing. Explicitly specifying a
format allows guests to write anything they like.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1416497234-29880-8-git-send-email-kwolf@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-12-10 10:31:13 +01:00
..
accounting.c block: Make the block accounting functions operate on BlockAcctStats 2014-09-10 10:41:29 +02:00
archipelago.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
backup.c block: let backup blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
blkdebug.c blkdebug: Simplify and improve filename generation 2014-12-10 10:31:11 +01:00
blkverify.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
block-backend.c block: Add blk_add_close_notifier() for BB 2014-12-10 10:31:12 +01:00
bochs.c block: Use g_new() & friends to avoid multiplying sizes 2014-08-20 11:51:28 +02:00
cloop.c cloop: Handle failure for potentially large allocations 2014-08-15 15:07:15 +02:00
commit.c block: let commit blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
curl.c block/curl: Improve type safety of s->timeout. 2014-11-03 11:41:47 +00:00
dmg.c dmg: Handle failure for potentially large allocations 2014-08-15 15:07:15 +02:00
gluster.c block: don't convert file size to sector size 2014-09-12 15:43:06 +02:00
iscsi.c -----BEGIN PGP SIGNATURE----- 2014-11-03 18:34:09 +00:00
linux-aio.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
Makefile.objs qemu-img: Implement commit like QMP 2014-11-03 11:41:48 +00:00
mirror.c block: let mirror blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
nbd-client.c nbd: implement .bdrv_detach/attach_aio_context() 2014-06-04 09:56:11 +02:00
nbd-client.h nbd: implement .bdrv_detach/attach_aio_context() 2014-06-04 09:56:11 +02:00
nbd.c nbd: Fix filename generation 2014-10-20 13:41:26 +02:00
nfs.c block: round up file size to nearest sector 2014-09-12 15:43:06 +02:00
null.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
parallels.c block/parallels: fix access to not initialized memory in catalog_bitmap 2014-11-03 09:48:41 +00:00
qapi.c block/qapi: Add cache information to query-block 2014-12-10 10:31:09 +01:00
qcow2-cache.c qcow2: Use g_try_new0() for cache array 2014-08-20 11:51:28 +02:00
qcow2-cluster.c block/qcow2: Simplify shared L2 handling in amend 2014-11-03 11:41:49 +00:00
qcow2-refcount.c block/qcow2: Make get_refcount() global 2014-11-03 11:41:49 +00:00
qcow2-snapshot.c qcow2: Allow "full" discard 2014-11-03 11:41:47 +00:00
qcow2.c block/qcow2: Implement status CB for amend 2014-11-03 11:41:49 +00:00
qcow2.h block/qcow2: Make get_refcount() global 2014-11-03 11:41:49 +00:00
qcow.c block: Eliminate BlockDriverState member device_name[] 2014-10-20 13:41:26 +02:00
qed-check.c block: Use g_new() & friends to avoid multiplying sizes 2014-08-20 11:51:28 +02:00
qed-cluster.c
qed-gencb.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
qed-l2-cache.c
qed-table.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
qed.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
qed.h block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
quorum.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
raw_bsd.c raw: Prohibit dangerous writes for probed images 2014-12-10 10:31:13 +01:00
raw-aio.h block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
raw-posix.c block/raw-posix: Catch fsync() errors 2014-11-18 12:09:00 +01:00
raw-win32.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00
rbd.c rbd: Add support for bdrv_invalidate_cache 2014-11-03 09:48:41 +00:00
sheepdog.c block: Rename BlockDriverAIOCB* to BlockAIOCB* 2014-10-20 13:41:27 +02:00
snapshot.c snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem 2014-11-03 09:48:42 +00:00
ssh.c ssh: Don't crash if either host or path is not specified. 2014-10-03 10:30:33 +01:00
stream.c block: let stream blockjob run in BDS AioContext 2014-11-03 11:41:49 +00:00
vdi.c block/vdi: Limit maximum size even futher 2014-11-09 23:39:50 +01:00
vhdx-endian.c block: VHDX endian fixes 2014-08-15 15:07:14 +02:00
vhdx-log.c block: Drop some superfluous casts from void * 2014-08-20 11:51:28 +02:00
vhdx.c block: Eliminate BlockDriverState member device_name[] 2014-10-20 13:41:26 +02:00
vhdx.h block: VHDX endian fixes 2014-08-15 15:07:14 +02:00
vmdk.c vmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info 2014-11-14 09:20:45 +00:00
vpc.c block: Eliminate BlockDriverState member device_name[] 2014-10-20 13:41:26 +02:00
vvfat.c block: Eliminate BlockDriverState member device_name[] 2014-10-20 13:41:26 +02:00
win32-aio.c block: Rename BlockDriverCompletionFunc to BlockCompletionFunc 2014-10-20 13:41:27 +02:00