On 11/05/2014 09:39 AM, Markus Armbruster wrote:
>> Hm... In which cases does libvirt probe the image format? And is it even
>> consistent with qemu today?
>
> I had a quick look at the source. Eric, please correct
> misunderstandings.
>
> Enumation type virStorageFileProbeFormat enumerates sup
Kevin Wolf writes:
> Am 04.11.2014 um 16:25 hat Stefan Hajnoczi geschrieben:
>> On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
>> > Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
>> > > The argument that there might not be a traditional filename doesn't make
>> > > sense to
On 2014-11-05 at 09:05, Markus Armbruster wrote:
Jeff Cody writes:
On Tue, Nov 04, 2014 at 10:39:36AM +0100, Markus Armbruster wrote:
Kevin Wolf writes:
Am 30.10.2014 um 13:49 hat Markus Armbruster geschrieben:
Kevin Wolf writes:
Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben
Jeff Cody writes:
> On Tue, Nov 04, 2014 at 10:39:36AM +0100, Markus Armbruster wrote:
>> Kevin Wolf writes:
>>
>> > Am 30.10.2014 um 13:49 hat Markus Armbruster geschrieben:
>> >> Kevin Wolf writes:
>> >>
>> >> > Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
>> >> >> Kevin Wolf
Kevin Wolf writes:
> Am 04.11.2014 um 10:36 hat Markus Armbruster geschrieben:
>> Kevin Wolf writes:
>>
>> > Am 31.10.2014 um 23:45 hat Eric Blake geschrieben:
>> >> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
>> >>
>> >> > You either have to prevent *any* writing of the first 2048 bytes
On Tue, Nov 04, 2014 at 10:39:36AM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 30.10.2014 um 13:49 hat Markus Armbruster geschrieben:
> >> Kevin Wolf writes:
> >>
> >> > Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
> >> >> Kevin Wolf writes:
> >> >> > Instead, le
Am 04.11.2014 um 16:25 hat Stefan Hajnoczi geschrieben:
> On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
> > Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> > > The argument that there might not be a traditional filename doesn't make
> > > sense to me. When there is no filen
On Tue, Nov 04, 2014 at 11:11:33AM +0100, Kevin Wolf wrote:
> Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> > The argument that there might not be a traditional filename doesn't make
> > sense to me. When there is no filename the command-line is already
> > sufficiently complex and usa
Am 04.11.2014 um 10:36 hat Markus Armbruster geschrieben:
> Kevin Wolf writes:
>
> > Am 31.10.2014 um 23:45 hat Eric Blake geschrieben:
> >> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
> >>
> >> > You either have to prevent *any* writing of the first 2048 bytes (the
> >> > part that can be
Am 03.11.2014 um 16:05 hat Stefan Hajnoczi geschrieben:
> On Mon, Nov 03, 2014 at 11:25:10AM +0100, Kevin Wolf wrote:
> > Am 03.11.2014 um 09:54 hat Markus Armbruster geschrieben:
> > > Kevin Wolf writes:
> > >
> > > > Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
> > > >> On Thu, Oct 3
Stefan Hajnoczi writes:
> On Mon, Nov 03, 2014 at 11:25:10AM +0100, Kevin Wolf wrote:
>> Am 03.11.2014 um 09:54 hat Markus Armbruster geschrieben:
>> > Kevin Wolf writes:
>> >
>> > > Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
>> > >> On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin
Kevin Wolf writes:
> Am 30.10.2014 um 13:49 hat Markus Armbruster geschrieben:
>> Kevin Wolf writes:
>>
>> > Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
>> >> Kevin Wolf writes:
>> >> > Instead, let me try once more to sell my old proposal [1] from the
>> >> > thread you mentione
Kevin Wolf writes:
> Am 31.10.2014 um 23:45 hat Eric Blake geschrieben:
>> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
>>
>> > You either have to prevent *any* writing of the first 2048 bytes (the
>> > part that can be examined by a bdrv_probe() method, or your have to
>> > prevent writing
Max Reitz writes:
> On 2014-11-03 at 09:54, Markus Armbruster wrote:
>> Kevin Wolf writes:
>>
>>> Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
> Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
>> The gues
On 2014-11-03 at 16:05, Stefan Hajnoczi wrote:
On Mon, Nov 03, 2014 at 11:25:10AM +0100, Kevin Wolf wrote:
Am 03.11.2014 um 09:54 hat Markus Armbruster geschrieben:
Kevin Wolf writes:
Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wol
On Mon, Nov 03, 2014 at 11:25:10AM +0100, Kevin Wolf wrote:
> Am 03.11.2014 um 09:54 hat Markus Armbruster geschrieben:
> > Kevin Wolf writes:
> >
> > > Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
> > >> On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
> > >> > Am 30.10.201
Am 31.10.2014 um 23:45 hat Eric Blake geschrieben:
> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
>
> > You either have to prevent *any* writing of the first 2048 bytes (the
> > part that can be examined by a bdrv_probe() method, or your have to
> > prevent writing anything a probe recognizes,
Am 30.10.2014 um 13:49 hat Markus Armbruster geschrieben:
> Kevin Wolf writes:
>
> > Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
> >> Kevin Wolf writes:
> >> > Instead, let me try once more to sell my old proposal [1] from the
> >> > thread you mentioned:
> >> >
> >> >> What if we
Am 03.11.2014 um 09:54 hat Markus Armbruster geschrieben:
> Kevin Wolf writes:
>
> > Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
> >> On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
> >> > Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
> >> > > The guest may legit
On 2014-11-03 at 09:54, Markus Armbruster wrote:
Kevin Wolf writes:
Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
The guest may legitimately use raw devices that con
Kevin Wolf writes:
> Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
>> On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
>> > Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
>> > > The guest may legitimately use raw devices that contain image format
>> > > data. Imagin
On 2014-10-30 at 14:02, Markus Armbruster wrote:
Max Reitz writes:
So I guess it's my turn to give yet another opinion (or just something
in between of what has been already said).
First, I'm fine with this patch, or at least the idea as there were
yet some quirks.
Yes, the patch has (fixabl
"Richard W.M. Jones" writes:
> Can you add something like:
>
> -drive ...,format=unsafe-probe
>
> so it does the probing anyway, even though we know it's unsafe?
>
> This will minimize the churn needed in libguestfs to make this work.
Retaining the insecure old default behavior as an explicit
Eric Blake writes:
> On 10/30/2014 06:49 AM, Markus Armbruster wrote:
>
>> You either have to prevent *any* writing of the first 2048 bytes (the
>> part that can be examined by a bdrv_probe() method, or your have to
>> prevent writing anything a probe recognizes, or the user has to specify
>> the
Jeff Cody writes:
> On Wed, Oct 29, 2014 at 07:37:02AM +0100, Markus Armbruster wrote:
>> Jeff Cody writes:
>>
>> > On Tue, Oct 28, 2014 at 05:03:40PM +0100, Markus Armbruster wrote:
>> >> If the user neglects to specify the image format, QEMU probes the
>> >> image to guess it automatically, f
Jeff Cody writes:
> On Wed, Oct 29, 2014 at 08:22:16AM +0100, Markus Armbruster wrote:
>> Eric Blake writes:
>>
>> > On 10/28/2014 12:29 PM, Jeff Cody wrote:
>> [...]
>> >>> What happens if more than one format tends to pick the same extension?
>> >>> For example, would you consider '.qcow' a t
On 10/30/2014 06:49 AM, Markus Armbruster wrote:
> You either have to prevent *any* writing of the first 2048 bytes (the
> part that can be examined by a bdrv_probe() method, or your have to
> prevent writing anything a probe recognizes, or the user has to specify
> the format explicitly.
>
> If
Kevin Wolf writes:
> Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
>> Kevin Wolf writes:
>> > Instead, let me try once more to sell my old proposal [1] from the
>> > thread you mentioned:
>> >
>> >> What if we let the raw driver know that it was probed and then it
>> >> enables a che
On Wed, Oct 29, 2014 at 07:37:02AM +0100, Markus Armbruster wrote:
> Jeff Cody writes:
>
> > On Tue, Oct 28, 2014 at 05:03:40PM +0100, Markus Armbruster wrote:
> >> If the user neglects to specify the image format, QEMU probes the
> >> image to guess it automatically, for convenience.
> >>
> >>
Stefan Hajnoczi writes:
> On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote:
>> Stefan Hajnoczi writes:
>>
>> > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
>> >> Kevin Wolf writes:
>> >>
>> >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
>
Max Reitz writes:
> So I guess it's my turn to give yet another opinion (or just something
> in between of what has been already said).
>
> First, I'm fine with this patch, or at least the idea as there were
> yet some quirks.
Yes, the patch has (fixable) issues. It's really just a sketch that
On Wed, Oct 29, 2014 at 08:22:16AM +0100, Markus Armbruster wrote:
> Eric Blake writes:
>
> > On 10/28/2014 12:29 PM, Jeff Cody wrote:
> [...]
> >>> What happens if more than one format tends to pick the same extension?
> >>> For example, would you consider '.qcow' a typical extension for qcow2
>
On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
> Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
> > The guest may legitimately use raw devices that contain image format
> > data. Imagine tools similar to libguestfs.
> >
> > It's perfectly okay for them to lay out image forma
On Thu, Oct 30, 2014 at 01:49:22PM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
> >> Anthony tried something similar (commit 79368c8), but couldn't get it
> >> right (commit 8b33d9e).
> >
> > The discussion back then: http://
Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben:
> On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote:
> > Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
> > > The guest may legitimately use raw devices that contain image format
> > > data. Imagine tools similar to libguest
Can you add something like:
-drive ...,format=unsafe-probe
so it does the probing anyway, even though we know it's unsafe?
This will minimize the churn needed in libguestfs to make this work.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my prog
Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben:
> On Thu, Oct 30, 2014 at 10:08:46AM +0100, Max Reitz wrote:
> > Also, I like Kevin's proposal/Anthony's approach a lot more because of its
> > principle. If a guest can overwrite the beginning of the image so it looks
> > like an image format
Am 29.10.2014 um 14:54 hat Markus Armbruster geschrieben:
> Kevin Wolf writes:
> > Instead, let me try once more to sell my old proposal [1] from the
> > thread you mentioned:
> >
> >> What if we let the raw driver know that it was probed and then it
> >> enables a check that returns -EIO for any
On Thu, Oct 30, 2014 at 10:08:46AM +0100, Max Reitz wrote:
> Also, I like Kevin's proposal/Anthony's approach a lot more because of its
> principle. If a guest can overwrite the beginning of the image so it looks
> like an image format, that's the real bug. Afterwards, anyone will recognize
> that
On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote:
> Stefan Hajnoczi writes:
>
> > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
> >> Kevin Wolf writes:
> >>
> >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
> >> > Instead, let me try once mor
On 2014-10-28 at 17:03, Markus Armbruster wrote:
If the user neglects to specify the image format, QEMU probes the
image to guess it automatically, for convenience.
Relying on format probing is insecure for raw images (CVE-2008-2004).
If the guest writes a suitable header to the device, the next
Stefan Hajnoczi writes:
> On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
>> Kevin Wolf writes:
>>
>> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
>> >> If the user neglects to specify the image format, QEMU probes the
>> >> image to guess it automatically, for
On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote:
> Kevin Wolf writes:
>
> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
> >> If the user neglects to specify the image format, QEMU probes the
> >> image to guess it automatically, for convenience.
> >>
> >> Relying
Kevin Wolf writes:
> Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
>> If the user neglects to specify the image format, QEMU probes the
>> image to guess it automatically, for convenience.
>>
>> Relying on format probing is insecure for raw images (CVE-2008-2004).
>> If the guest wri
Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben:
> If the user neglects to specify the image format, QEMU probes the
> image to guess it automatically, for convenience.
>
> Relying on format probing is insecure for raw images (CVE-2008-2004).
> If the guest writes a suitable header to the
On 2014-10-29 at 08:36, Markus Armbruster wrote:
Jeff Cody writes:
On Tue, Oct 28, 2014 at 12:56:37PM -0600, Eric Blake wrote:
On 10/28/2014 12:29 PM, Jeff Cody wrote:
This patch is RFC because of open questions:
* Should tools warn, too? Probing isn't insecure there, but a "this
may p
Jeff Cody writes:
> On Tue, Oct 28, 2014 at 12:56:37PM -0600, Eric Blake wrote:
>> On 10/28/2014 12:29 PM, Jeff Cody wrote:
>>
>> >>> This patch is RFC because of open questions:
>> >>>
>> >>> * Should tools warn, too? Probing isn't insecure there, but a "this
>> >>> may pick a different form
Eric Blake writes:
> On 10/28/2014 12:29 PM, Jeff Cody wrote:
[...]
>>> What happens if more than one format tends to pick the same extension?
>>> For example, would you consider '.qcow' a typical extension for qcow2
>>> files, even though it would probably match the older qcow driver first?...
>
Eric Blake writes:
> On 10/28/2014 10:03 AM, Markus Armbruster wrote:
>> If the user neglects to specify the image format, QEMU probes the
>> image to guess it automatically, for convenience.
>>
>> Relying on format probing is insecure for raw images (CVE-2008-2004).
>> If the guest writes a sui
Jeff Cody writes:
> On Tue, Oct 28, 2014 at 05:03:40PM +0100, Markus Armbruster wrote:
>> If the user neglects to specify the image format, QEMU probes the
>> image to guess it automatically, for convenience.
>>
>> Relying on format probing is insecure for raw images (CVE-2008-2004).
>> If the g
Fam Zheng writes:
> On Tue, 10/28 17:03, Markus Armbruster wrote:
>> diff --git a/block/vmdk.c b/block/vmdk.c
>> index 673d3f5..91a42d2 100644
>> --- a/block/vmdk.c
>> +++ b/block/vmdk.c
>> @@ -2225,6 +2225,7 @@ static BlockDriver bdrv_vmdk = {
>> .format_name = "vmdk",
>>
On Tue, 10/28 17:03, Markus Armbruster wrote:
> diff --git a/block/vmdk.c b/block/vmdk.c
> index 673d3f5..91a42d2 100644
> --- a/block/vmdk.c
> +++ b/block/vmdk.c
> @@ -2225,6 +2225,7 @@ static BlockDriver bdrv_vmdk = {
> .format_name = "vmdk",
> .instance_size
On Tue, Oct 28, 2014 at 12:56:37PM -0600, Eric Blake wrote:
> On 10/28/2014 12:29 PM, Jeff Cody wrote:
>
> >>> This patch is RFC because of open questions:
> >>>
> >>> * Should tools warn, too? Probing isn't insecure there, but a "this
> >>> may pick a different format in the future" warning ma
On 10/28/2014 12:29 PM, Jeff Cody wrote:
>>> This patch is RFC because of open questions:
>>>
>>> * Should tools warn, too? Probing isn't insecure there, but a "this
>>> may pick a different format in the future" warning may be
>>> appropriate.
>>
>> Yes. For precedent, libvirt can be consid
On Tue, Oct 28, 2014 at 05:03:40PM +0100, Markus Armbruster wrote:
> If the user neglects to specify the image format, QEMU probes the
> image to guess it automatically, for convenience.
>
> Relying on format probing is insecure for raw images (CVE-2008-2004).
> If the guest writes a suitable head
On Tue, Oct 28, 2014 at 11:02:56AM -0600, Eric Blake wrote:
> On 10/28/2014 10:03 AM, Markus Armbruster wrote:
> > If the user neglects to specify the image format, QEMU probes the
> > image to guess it automatically, for convenience.
> >
> > Relying on format probing is insecure for raw images (C
On 10/28/2014 10:03 AM, Markus Armbruster wrote:
> If the user neglects to specify the image format, QEMU probes the
> image to guess it automatically, for convenience.
>
> Relying on format probing is insecure for raw images (CVE-2008-2004).
> If the guest writes a suitable header to the device,
If the user neglects to specify the image format, QEMU probes the
image to guess it automatically, for convenience.
Relying on format probing is insecure for raw images (CVE-2008-2004).
If the guest writes a suitable header to the device, the next probe
will recognize a format chosen by the guest.
58 matches
Mail list logo
