On 3/9/20 10:31 AM, Kashyap Chamarthy wrote:
On Fri, Mar 06, 2020 at 04:51:21PM -0600, Eric Blake wrote:
Creating an image that requires format probing of the backing image is
inherently unsafe (we've had several CVEs over the years based on
+qemu-img backing file without format (since 5.0.0)
+''''''''''''''''''''''''''''''''''''''''''''''''''
+
+The use of ``qemu-img create``, ``qemu-img rebase``, ``qemu-img
+convert``, or ``qemu-img amend`` to create or modify an image that
+depends on a backing file now recommends that an explicit backing
+format be provided. This is for safety: if qemu probes a different
+format than what you thought, the data presented to the guest will be
+corrupt; similarly, presenting a raw image to a guest allows a
+potential security exploit if a future probe sees a non-raw image
+based on guest writes. To avoid the warning message, or even future
+refusal to create an unsafe image, you must pass ``-o backing_fmt=``
+(or the shorthand ``-F`` during create) to specify the intended
+backing format. You may use ``qemu-img rebase -u`` to retroactively
+add a backing format to an existing image. However, be aware that
+there are already potential security risks to blindly using ``qemu-img
+info`` to probe the format of an untrusted backing image, when
+deciding what format to add into an existing image.
Nit: s/qemu/QEMU/g/
Ultra Nit: should this paragraph be broken down into two? Experience
tells people usually feel deterred read "substantial paragraphs" :-)
Shoot, I missed incorporating this comment during my v4 posting. It's
now changed in my local tree, but I'll hold off on a v5 unless other
review warrants it.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org