rpms/xen/F-9 xen-qemu-image-format.patch, NONE, 1.1 xen.spec, 1.216, 1.217 xen-qemu-block-no-auto-format.patch, 1.1, NONE
Markus Armbruster (armbru)
fedora-extras-commits at redhat.com
Fri Jun 27 15:04:31 UTC 2008
Author: armbru
Update of /cvs/pkgs/rpms/xen/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29576
Modified Files:
xen.spec
Added Files:
xen-qemu-image-format.patch
Removed Files:
xen-qemu-block-no-auto-format.patch
Log Message:
Re-enable QEMU image format auto-detection, without the security
loopholes
xen-qemu-image-format.patch:
--- NEW FILE xen-qemu-image-format.patch ---
It is possible for a guest with a raw formatted disk image to write a
header to that disk image describing another format (such as qcow).
If QEMU probes the image for its format (say on guest restart), it
could allow the guest to read any host file.
* Block device configuration changes to:
configuration string type format
phy:[/dev/]<device> phy raw
file:<filename> file raw
tap:aio:<filename> tap raw
tap:qcow:<image> tap autoprobed (never raw)
tap:<FMT>:<image> tap named format FMT
Backing files are now alwayws raw.
* Floppy disk images are always raw.
* Removable media inserted with monitor command "change" are always
raw.
* USB disks specified as "disk:FILE" are always raw, those specified
as "disk-qcow:FILE" are autoprobed (never raw).
Derived from the following xen-unstable changesets:
changeset: 17877:52592af0204a
summary: ioemu: Fix usbdevice parameter to encode vbd type.
changeset: 17874:9493a853df9e
summary: ioemu: Disable format auto-probing in monitor command change
changeset: 17736:6b28a18a8c2d
summary: ioemu: Force floppy disk images to be interpreted as raw.
changeset: 17646:e3b13e1ecf6c
summary: ioemu: Do not try to guess backing file format when using qcow vbds
.
changeset: 17631:cb22b23156a4
summary: ioemu: Fix handling of phy: block devices.
changeset: 17606:e3be00bd6aa9
summary: ioemu: fix disk format security vulnerability
changeset: 17282:0868396712b5
summary: ioemu: prefix phy devices with /dev/
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/block.c xen-3.2.0-new/tools/ioemu/block.c
--- xen-3.2.0/tools/ioemu/block.c 2008-06-26 13:36:21.000000000 -0400
+++ xen-3.2.0-new/tools/ioemu/block.c 2008-06-26 14:49:21.000000000 -0400
@@ -269,8 +269,28 @@ static int is_windows_drive(const char *
}
#endif
+static int bdrv_invalid_protocol_open(BlockDriverState *bs,
+ const char *filename, int flags) {
+ return -ENOENT;
+}
+
+static BlockDriver bdrv_invalid_protocol = {
+ "invalid_protocol",
+ .bdrv_open = bdrv_invalid_protocol_open,
+};
+
static BlockDriver *find_protocol(const char *filename)
{
+ /* Return values:
+ * &bdrv_xxx
+ * filename specifies protocol xxx
+ * caller should use that
+ * NULL filename does not specify any protocol
+ * caller may apply their own default
+ * &bdrv_invalid_protocol filename speciies an unknown protocol
+ * caller should return -ENOENT; or may just try to open with
+ * that bdrv, which always fails that way.
+ */
BlockDriver *drv1;
char protocol[128];
int len;
@@ -283,7 +303,7 @@ static BlockDriver *find_protocol(const
#endif
p = strchr(filename, ':');
if (!p)
- return &bdrv_raw;
+ return NULL;
len = p - filename;
if (len > sizeof(protocol) - 1)
len = sizeof(protocol) - 1;
@@ -294,7 +314,7 @@ static BlockDriver *find_protocol(const
!strcmp(drv1->protocol_name, protocol))
return drv1;
}
- return NULL;
+ return &bdrv_invalid_protocol;
}
/* XXX: force raw format if block or character device ? It would
@@ -324,8 +344,8 @@ static BlockDriver *find_image_format(co
#endif
drv = find_protocol(filename);
- /* no need to test disk image formats for vvfat */
- if (drv == &bdrv_vvfat)
+ /* no need to test disk image format if the filename told us */
+ if (drv != NULL)
return drv;
ret = bdrv_file_open(&bs, filename, BDRV_O_RDONLY);
@@ -420,7 +440,7 @@ int bdrv_open2(BlockDriverState *bs, con
if (flags & BDRV_O_FILE) {
drv = find_protocol(filename);
if (!drv)
- return -ENOENT;
+ drv = &bdrv_raw;
} else {
if (!drv) {
drv = find_image_format(filename);
@@ -468,7 +488,7 @@ int bdrv_open2(BlockDriverState *bs, con
}
path_combine(backing_filename, sizeof(backing_filename),
filename, bs->backing_file);
- if (bdrv_open(bs->backing_hd, backing_filename, 0) < 0)
+ if (bdrv_open2(bs->backing_hd, backing_filename, 0, &bdrv_raw) < 0)
goto fail;
}
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/hw/usb-msd.c xen-3.2.0-new/tools/ioemu/hw/usb-msd.c
--- xen-3.2.0/tools/ioemu/hw/usb-msd.c 2008-01-16 13:34:59.000000000 -0500
+++ xen-3.2.0-new/tools/ioemu/hw/usb-msd.c 2008-06-26 15:30:53.000000000 -0400
@@ -510,7 +510,7 @@ static void usb_msd_handle_destroy(USBDe
qemu_free(s);
}
-USBDevice *usb_msd_init(const char *filename)
+USBDevice *usb_msd_init(const char *filename, BlockDriver *drv)
{
MSDState *s;
BlockDriverState *bdrv;
@@ -520,7 +520,7 @@ USBDevice *usb_msd_init(const char *file
return NULL;
bdrv = bdrv_new("usb");
- if (bdrv_open(bdrv, filename, 0) < 0)
+ if (bdrv_open2(bdrv, filename, 0, drv) < 0)
goto fail;
s->bs = bdrv;
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/hw/usb.h xen-3.2.0-new/tools/ioemu/hw/usb.h
--- xen-3.2.0/tools/ioemu/hw/usb.h 2008-01-16 13:34:59.000000000 -0500
+++ xen-3.2.0-new/tools/ioemu/hw/usb.h 2008-06-26 14:42:45.000000000 -0400
@@ -217,7 +217,7 @@ USBDevice *usb_mouse_init(void);
USBDevice *usb_tablet_init(void);
/* usb-msd.c */
-USBDevice *usb_msd_init(const char *filename);
+USBDevice *usb_msd_init(const char *filename, BlockDriver *drv);
/* usb.c */
void generic_usb_save(QEMUFile* f, void *opaque);
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/monitor.c xen-3.2.0-new/tools/ioemu/monitor.c
--- xen-3.2.0/tools/ioemu/monitor.c 2008-06-26 13:36:21.000000000 -0400
+++ xen-3.2.0-new/tools/ioemu/monitor.c 2008-06-26 14:41:11.000000000 -0400
@@ -387,7 +387,7 @@ static void do_change_block(const char *
}
if (eject_device(bs, 0) < 0)
return;
- bdrv_open(bs, filename, 0);
+ bdrv_open2(bs, filename, 0, &bdrv_raw);
if (bdrv_is_encrypted(bs)) {
term_printf("%s is encrypted.\n", device);
for(i = 0; i < 3; i++) {
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/vl.c xen-3.2.0-new/tools/ioemu/vl.c
--- xen-3.2.0/tools/ioemu/vl.c 2008-06-26 13:36:21.000000000 -0400
+++ xen-3.2.0-new/tools/ioemu/vl.c 2008-06-26 14:42:43.000000000 -0400
@@ -4211,7 +4211,9 @@ static int usb_device_add(const char *de
} else if (!strcmp(devname, "tablet")) {
dev = usb_tablet_init();
} else if (strstart(devname, "disk:", &p)) {
- dev = usb_msd_init(p);
+ dev = usb_msd_init(p, &bdrv_raw);
+ } else if (strstart(devname, "disk-qcow:", &p)) {
+ dev = usb_msd_init(p, 0);
} else {
return -1;
}
@@ -7732,8 +7734,9 @@ int main(int argc, char **argv)
bdrv_set_type_hint(fd_table[i], BDRV_TYPE_FLOPPY);
}
if (fd_filename[i] != '\0') {
- if (bdrv_open(fd_table[i], fd_filename[i],
- snapshot ? BDRV_O_SNAPSHOT : 0) < 0) {
+ if (bdrv_open2(fd_table[i], fd_filename[i],
+ snapshot ? BDRV_O_SNAPSHOT : 0,
+ &bdrv_raw) < 0) {
fprintf(stderr, "qemu: could not open floppy disk image '%s'\n",
fd_filename[i]);
exit(1);
diff -rup --exclude '*~' xen-3.2.0/tools/ioemu/xenstore.c xen-3.2.0-new/tools/ioemu/xenstore.c
--- xen-3.2.0/tools/ioemu/xenstore.c 2008-01-16 13:34:59.000000000 -0500
+++ xen-3.2.0-new/tools/ioemu/xenstore.c 2008-06-26 15:35:48.000000000 -0400
@@ -85,6 +85,7 @@ void xenstore_parse_domain_config(int do
*dev = NULL, *params = NULL, *type = NULL, *drv = NULL;
int i, is_scsi, is_hdN = 0;
unsigned int len, num, hd_index;
+ BlockDriver *format;
for(i = 0; i < MAX_DISKS + MAX_SCSI_DISKS; i++)
media_filename[i] = NULL;
@@ -130,6 +131,8 @@ void xenstore_parse_domain_config(int do
}
for (i = 0; i < num; i++) {
+ format = NULL; /* don't know what the format is yet */
+
/* read the backend path */
if (pasprintf(&buf, "%s/device/vbd/%s/backend", path, e[i]) == -1)
continue;
@@ -176,13 +179,28 @@ void xenstore_parse_domain_config(int do
drv = xs_read(xsh, XBT_NULL, buf, &len);
if (drv == NULL)
continue;
- /* Strip off blktap sub-type prefix aio: - QEMU can autodetect this */
+ /* Obtain blktap sub-type prefix */
if (!strcmp(drv, "tap") && params[0]) {
char *offset = strchr(params, ':');
if (!offset)
continue ;
+ free(drv);
+ drv = malloc(offset - params + 1);
+ memcpy(drv, params, offset - params);
+ drv[offset - params] = '\0';
+ if (!strcmp(drv, "aio"))
+ /* qemu does aio anyway if it can */
+ format = &bdrv_raw;
memmove(params, offset+1, strlen(offset+1)+1 );
- fprintf(logfile, "Strip off blktap sub-type prefix to %s\n", params);
+ fprintf(logfile, "Strip off blktap sub-type prefix to %s (drv '%s')\n", params, drv);
+ }
+ /* Prefix with /dev/ if needed */
+ if (!strcmp(drv, "phy") && params[0] != '/') {
+ char *newparams = malloc(5 + strlen(params) + 1);
+ sprintf(newparams, "/dev/%s", params);
+ free(params);
+ params = newparams;
+ format = &bdrv_raw;
}
/*
@@ -218,10 +236,26 @@ void xenstore_parse_domain_config(int do
}
/* open device now if media present */
if (params[0]) {
- if (bdrv_open(bs_table[hd_index + (is_scsi ? MAX_DISKS : 0)],
- params, 0 /* snapshot */) < 0)
- fprintf(stderr, "qemu: could not open hard disk image '%s'\n",
- params);
+ if (!format) {
+ if (!drv) {
+ fprintf(stderr, "qemu: type (image format) not specified for vbd '%s' or image '%s'\n", buf, params);
+ continue;
+ }
+ if (!strcmp(drv,"qcow")) {
+ /* autoguess qcow vs qcow2 */
+ } else if (!strcmp(drv,"file") || !strcmp(drv,"phy")) {
+ format = &bdrv_raw;
+ } else {
+ format = bdrv_find_format(drv);
+ if (!format) {
+ fprintf(stderr, "qemu: type (image format) '%s' unknown for vbd '%s' or image '%s'\n", drv, buf, params);
+ continue;
+ }
+ }
+ }
+ if (bdrv_open2(bs_table[hd_index + (is_scsi ? MAX_DISKS : 0)],
+ params, 0 /* snapshot */, format) < 0)
+ fprintf(stderr, "qemu: could not open vbd '%s' or hard disk image '%s' (drv '%s' format '%s')\n", buf, params, drv ? drv : "?", format ? format->format_name : "0");
}
}
Index: xen.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xen/F-9/xen.spec,v
retrieving revision 1.216
retrieving revision 1.217
diff -u -r1.216 -r1.217
--- xen.spec 13 Jun 2008 14:18:09 -0000 1.216
+++ xen.spec 27 Jun 2008 15:03:48 -0000 1.217
@@ -78,7 +78,7 @@
Patch36: xen-qemu-bootmenu.patch
Patch37: xen-pvfb-validate-fb.patch
-Patch38: xen-qemu-block-no-auto-format.patch
+Patch38: xen-qemu-image-format.patch
# Patches to modify the default config of xend
Patch100: xen-config-dom0-minmem.patch
@@ -465,7 +465,9 @@
%{_libdir}/*.a
%changelog
-* Fri Jun 13 2008 Markus Armbruster <armbru at redhat.com> - 3.2.0-13.fc9
+* Fri Jun 27 2008 Markus Armbruster <armbru at redhat.com> - 3.2.0-13.fc9
+- Re-enable QEMU image format auto-detection, without the security
+ loopholes
- Correctly limit PVFB size (CVE-2008-1952)
* Tue Jun 3 2008 Daniel P. Berrange <berrange at redhat.com> - 3.2.0-12.fc9
--- xen-qemu-block-no-auto-format.patch DELETED ---
More information about the fedora-extras-commits
mailing list