On Thu, Feb 11, 2021 at 03:26:56PM +0100, Philippe Mathieu-Daudé wrote:
> The null-co driver is meant for (performance) testing.
> By default, read operation does nothing, the provided buffer
> is not filled with zero values and its content is unchanged.
>
> This performance 'feature' becomes an issue from a security
> perspective. For example, using the default null-co driver,
> buf[] is uninitialized, the blk_pread() call succeeds and we
> then access uninitialized memory:
>
> static int guess_disk_lchs(BlockBackend *blk,
> int *pcylinders, int *pheads,
> int *psectors)
> {
> uint8_t buf[BDRV_SECTOR_SIZE];
> ...
>
> if (blk_pread(blk, 0, buf, BDRV_SECTOR_SIZE) < 0) {
> return -1;
> }
> /* test msdos magic */
> if (buf[510] != 0x55 || buf[511] != 0xaa) {
> return -1;
> }
>
> We could audit all the uninitialized buffers and the
> bdrv_co_preadv() handlers, but it is simpler to change the
> default of this testing driver. Performance tests will have
> to adapt and use 'null-co,read-zeroes=off'.
>
> Suggested-by: Max Reitz <[email protected]>
> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
> ---
> block/null.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)Reviewed-by: Stefan Hajnoczi <[email protected]>
signature.asc
Description: PGP signature
