WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass

from [Ian Jackson] [Permanent Link][Original]
To: Markus Armbruster <armbru@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Fri, 30 May 2008 14:37:29 +0100
Cc: Eren Türkay <turkay.eren@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 30 May 2008 06:38:01 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <8763sw9nfx.fsf@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <200805081800.24064.turkay.eren@xxxxxxxxx> <18467.12572.126574.502777@xxxxxxxxxxxxxxxxxxxxxxxx> <20080508171255.GA31908@xxxxxxxxxx> <18467.13858.203078.97403@xxxxxxxxxxxxxxxxxxxxxxxx> <20080508172304.GB31908@xxxxxxxxxx> <18467.14318.921215.768838@xxxxxxxxxxxxxxxxxxxxxxxx> <20080508173023.GC31908@xxxxxxxxxx> <18468.29633.937355.26121@xxxxxxxxxxxxxxxxxxxxxxxx> <18473.52451.967004.377867@xxxxxxxxxxxxxxxxxxxxxxxx> <8763sw9nfx.fsf@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
Markus Armbruster writes ("Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk 
Format Security Bypass"):
> I'm looking at xen-unstable cset 17606 and 17646.  If I understand
> your patches correctly, you attack the security problem in two places:
> 
> (1) make format probing never return raw, and

Right.  That's a safety catch so that there's no vulnerability in any
cases I missed, of which I was definitely expecting some.

> (2) provide means to specify the format explicitly, bypassing probing.
> 
> You put (2) in xenstore_parse_domain_config().  I can see how that
> works for block devices defined in the domain configuration.  But what
> about USB disks?  I created a guest with the following settings:
...
> The -usbdevice argument is ultimately processed by usb_device_add(),
> which calls usb_msd_init() to do the real work.  I think we get (1),
> but not (2) there, i.e. your change breaks raw format USB disks.

That's quite likely.  I hadn't spotted that separate arrangement.  The
best thing to do would be probably be to cross-port the format
parameter code which upstream have introduced in this area to (mostly)
fix the bug in their version.  I'll look into it.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Xen/paravirt_ops page on Xen wiki, Jeremy Fitzhardinge
Next by Date:  Re: [Xen-devel] Finer access control framework over users, domains and operations., Ian Jackson
Previous by Thread:  Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass, Markus Armbruster
Next by Thread:  [Xen-devel] [PATCH] stubdom: let lwIP check TCP sums as they are now correct, Samuel Thibault
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy