On Thu, Mar 12, 2020 at 02:28:22PM -0500, Eric Blake wrote:
> Creating an image that requires format probing of the backing image is
> inherently unsafe (we've had several CVEs over the years based on
> probes leaking information to the guest on a subsequent boot, although
> these days tools like libvirt are aware of the issue enough to prevent
> the worst effects). However, if our probing algorithm ever changes,
> or if other tools like libvirt determine a different probe result than
> we do, then subsequent use of that backing file under a different
> format will present corrupted data to the guest. Start a deprecation
> clock so that future qemu-img can refuse to create unsafe backing
> chains that would rely on probing. The warnings are intentionally
> emitted from the block layer rather than qemu-img (thus, all paths
> into image creation or rewriting perform the check).
>
> However, there is one time where probing is safe: if we probe raw,
> then it is safe to record that implicitly in the image (but we still
> warn, as it's better to teach the user to supply -F always than to
> make them guess when it is safe).
>
> iotest 114 specifically wants to create an unsafe image for later
> amendment rather than defaulting to our new default of recording a
> probed format, so it needs an update. While touching it, expand it to
> cover all of the various warnings enabled by this patch. iotest 290
> also shows a change to qcow messages; note that the fact that we now
> make a probed format of 'raw' explicit now results in a double
> warning, but no one should be creating new qcow images so it is not
> worth cleaning up.
>
> Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
> ---
> docs/system/deprecated.rst | 19 +++++++++++++++++++
> block.c | 21 ++++++++++++++++++++-
> qemu-img.c | 2 +-
> tests/qemu-iotests/114 | 11 +++++++++++
> tests/qemu-iotests/114.out | 8 ++++++++
> tests/qemu-iotests/290.out | 5 ++++-
> 6 files changed, 63 insertions(+), 3 deletions(-)
[A quick question ... while I'm still testing]
I just applied your v4, and I'm here:
$> git describe
v4.2.0-2399-g3cba0d19f2
Expected warning on 'create' wiht no -F:
$> ~/build/v4_tightened_qemu-img-QEMU/qemu-img create -f qcow2 -b ./base.raw ./overlay1.qcow2
qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
Formatting './overlay1.qcow2', fmt=qcow2 size=4294967296 backing_file=./base.raw backing_fmt=raw cluster_size=65536 lazy_refcounts=off refcount_bits=16
But here is the lack of warning with 'convert' expected?
$> ~/build/v4_tightened_qemu-img-QEMU/qemu-img convert -B ./base.raw -O qcow2 overlay1.qcow2 flattened.qcow2
In your response on the v3, you said the above should throw a warning;
refer to Message-ID: <2fd580c2-4b94-4430-1072-ef04bbd2da60@xxxxxxxxxx>
For completeness' sake:
$> ~/build/v4_tightened_qemu-img-QEMU/qemu-img info --backing-chain flattened.qcow2
image: flattened.qcow2
file format: qcow2
virtual size: 4 GiB (4294967296 bytes)
disk size: 196 KiB
cluster_size: 65536
backing file: ./base.raw
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
corrupt: false
image: ./base.raw
file format: raw
virtual size: 4 GiB (4294967296 bytes)
disk size: 778 MiB
[...]
--
/kashyap
