On Thu, Oct 30, 2014 at 10:07:26AM +0100, Markus Armbruster wrote: > Stefan Hajnoczi <[email protected]> writes: > > > On Wed, Oct 29, 2014 at 02:54:32PM +0100, Markus Armbruster wrote: > >> Kevin Wolf <[email protected]> writes: > >> > >> > Am 28.10.2014 um 17:03 hat Markus Armbruster geschrieben: > >> > Instead, let me try once more to sell my old proposal [1] from the > >> > thread you mentioned: > >> > > >> >> What if we let the raw driver know that it was probed and then it > >> >> enables a check that returns -EIO for any write on the first 2k if that > >> >> write would make the image look like a different format? > >> > > >> > Attacks the problem where it arises instead of trying to detect the > >> > outcome of it, and works in whatever way it is nested in the BDS graph > >> > and whatever way is used to address the image file. > > > > I think this is too clever. It's another thing to debug if a guest > > starts hitting EIO. > > > > My opinion on probing is: it's ugly but let's leave it for QEMU 3.0 at > > which point we implement Markus solution with exit(1). > > I regard my patch as a necessary preliminary step for that. Warn now, > change behavior a couple of releases later. When exactly is debatable. > > > In the meantime the CVE has been known for a long time so vulnerable > > users (VM hosting, cloud, etc) have the information they need. Many are > > automatically protected by libvirt. > > The warning hopefully helps libvirt developers with keeping libvirt > users fully protected.
I'm happy with this approach (haven't reviewed the patches in detail yet). Stefan
pgpjVzAbUY2Jf.pgp
Description: PGP signature
