Re: [pve-devel] [PATCH qemu-server v6 1/6] disk import: add additional safeguards for imported image files

Mon, 18 Nov 2024 06:28:03 -0800 

Am 15.11.24 um 16:17 schrieb Dominik Csapak:
> From: Fabian Grünbichler <f.gruenbich...@proxmox.com>
> 
> creating non-raw disk images with arbitrary content is only possible with raw
> access to the storage, but checking for references to external files doesn't
> hurt, in case for non pve-managed volumes.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
>  [ DC: removed prolematic checks for pve-managed volumes ]

typo: s/prolematic/problematic/

> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>

Other than the nit below:

Reviewed-by: Fiona Ebner <f.eb...@proxmox.com>

> ---
>  PVE/API2/Qemu.pm | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 1c3cb271..b9c63af8 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -413,12 +413,15 @@ my sub create_disks : prototype($$$$$$$$$$) {
>  
>               $needs_creation = $live_import;
>  
> -             if (PVE::Storage::parse_volume_id($source, 1)) { # PVE-managed 
> volume
> +             my ($source_storage, $source_volid) = 
> PVE::Storage::parse_volume_id($source, 1);
> +
> +             if ($source_storage) { # PVE-managed volume
>                   if ($live_import && $ds ne 'efidisk0') {
>                       my $path = PVE::Storage::path($storecfg, $source)
>                           or die "failed to get a path for '$source'\n";
>                       $source = $path;
>                       ($size, my $source_format) = 
> PVE::Storage::file_size_info($source);
> +
>                       die "could not get file size of $source\n" if !$size;
>                       $live_import_mapping->{$ds} = {
>                           path => $source,

Nit: this hunk doesn't do anything now and could be squashed into the
other patch

> @@ -442,7 +445,8 @@ my sub create_disks : prototype($$$$$$$$$$) {
>                   }
>               } else {
>                   $source = PVE::Storage::abs_filesystem_path($storecfg, 
> $source, 1);
> -                 ($size, my $source_format) = 
> PVE::Storage::file_size_info($source);
> +                 # check potentially untrusted image file!
> +                 ($size, my $source_format) = 
> PVE::Storage::file_size_info($source, undef, 1);
>                   die "could not get file size of $source\n" if !$size;
>  
>                   if ($live_import && $ds ne 'efidisk0') {



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to