On Fri, Oct 12, 2018 at 02:27:26PM +0200, Michal Privoznik wrote: > On 10/12/2018 02:17 PM, Daniel P. Berrangé wrote: > > On Fri, Oct 12, 2018 at 01:14:51PM +0200, Michal Privoznik wrote: > >> https://bugzilla.redhat.com/show_bug.cgi?id=1632833 > >> > >> When doing a SCSI passthrough we don't put format= onto the > >> command line. This causes qemu to probe the format automatically > >> which ends up in a warning in the domain log and possible qemu > >> disabling writes to the first block (according to the warning > >> message). > > > > If the warning message is correct, this should have been reported > > as a security bug to libvirt and given a CVE. > > Why is that? It the message is correct, qemu would prevent from writing > to the first block. No harm there. Only QEMU >= 2.3.0 has that protection, so this is not something we can rely to avoid calling it a CVE. It just means distros when QEMU >=2.3.0 would not be affected by the CVE. > > On the other hand if the warning from QEMU isn't correct, then > > QEMU shouldn't have printed the warning about it being dangerous. > > In my testing I was able to write to the first block. Therefore, IMO > qemu is throwing incorrect warning message. > > > > > So something is missing here either way. > > Sure, but that doesn't invalidate my patch, does it? Only the commit message - if this is a security flaw, we must be more explicit about it in the commit. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
