On a Wednesday in 2020, Eric Blake wrote:
Creating an image that requires format probing of the backing image is inherently unsafe (we've had several CVEs over the years based on probes leaking information to the guest on a subsequent boot). If our probing algorithm ever changes, or if other tools like libvirt determine a different probe result than we do, then subsequent use of that backing file under a different format will present corrupted data to the guest. Start a deprecation clock so that future qemu-img can refuse to create unsafe backing chains that would rely on probing. However, there is one time where probing is safe: if we probe raw, then it is safe to record that implicitly in the image (but we still warn, as it's better to teach the user to supply -F always than to make them guess when it is safe). iotest 114 specifically wants to create an unsafe image for later amendment rather than defaulting to our new default of recording a probed format, so it needs an update. Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> --- qemu-deprecated.texi | 15 +++++++++++++++ block.c | 21 ++++++++++++++++++++- qemu-img.c | 8 +++++++- tests/qemu-iotests/114 | 4 ++-- tests/qemu-iotests/114.out | 1 + 5 files changed, 45 insertions(+), 4 deletions(-)
This seems to affect code paths that are used even outside of qemu-img, should the commit message mention it? Jano
Attachment:
signature.asc
Description: PGP signature
