On Thu, Nov 10, 2011 at 9:57 AM, Markus Armbruster <armbru@xxxxxxxxxx> wrote: >>> 3) The block probing code replicates a well known CVE from three >>> years ago[1]. Using kvm-tool, a malicious guest could write the >>> qcow2 signature to the zero sector and use that to attack the host. >> >> We don't support QCOW2 snapshots so I don't see how the "arbitrary >> file" thing can happen. > > You don't need snapshots for the hole. > > Start with a clean read/write raw image. Probing declares it raw. > Guest writes QCOW signature to it, with a backing file of its choice. > > Restart with the same image. Probing declares it QCOW2. Guest can read > the backing file. Oops. > > Probing images works when all image types can be probed reliably, and > the guest can't mess with the probing. Requires distinctive signatures > the guest can't change. Raw images spoil it. We don't support that "backing file" thing either. ;-) On Thu, Nov 10, 2011 at 9:57 AM, Markus Armbruster <armbru@xxxxxxxxxx> wrote: >> It's pretty sad though that we're replicating a known security issue :-/ > > Maybe I'm wrong, but I got the impression you've been replicating quite > a few of QEMU's early mistakes. > > I hope you can create something better than QEMU, I really, really do. > But to successfully build a second system, you need to learn the right > lessons from the first system. Are you sure you do? We do but it's a fair question if we're doing it enough. I don't have a simple answer to that. Pekka -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html