WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone fo

To: Martin Troester <TroyMcClure@xxxxxx>
Subject: Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone forever?
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Mon, 5 Oct 2009 11:05:53 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 05 Oct 2009 03:06:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4ABD30AC.9050109@xxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4ABBD9DE.5090103@xxxxxx> <19132.52745.738000.235297@xxxxxxxxxxxxxxxxxxxxxxxx> <4ABD30AC.9050109@xxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Martin Troester writes ("Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing 
file support gone  forever?"):
> Ian Jackson wrote:
> > If it works for you then your system may have a security problem.  I
> > haven't analysed this use case in detail and it would depend on the
> > exact structure of your storage.
...
> Assuming I offer a user a virtual machine with a qcow2 image backed by 
> another qcow2 image which is ultimately backed by a raw image, how would 
> a user ever get the possibility to modify the first part of the raw 
> image to resemble a qcow header? This seems to be the point where I have 
> problems following your scenario. 

Ah, yes, you are right.  I think your case is safe - provided your
base images are only ever constructed by you.  But if you ever (for
example) fold changes from the upper layers back into the raw base
image and then use that as the new base, you're vulnerable again; or
if you ever accept a raw image from someone else (for testing, say).
So it's possible to avoid the problem by carefully restricting the
operations you perform, but it's hazardous because you need to be
constantly watchful.

Unfortunately to make your case work without reintroducing the
vulnerability for users with simple raw images is not trivial, because
as I say the information about what format is expected (and the
context, which might show that it was safe).

So I would suggest that the best thing for you to do would be to carry
the local change to undo the security fix, and be very careful about
how you use your images.

> I hope I'm not making a fool of myself here, but I thought I'd put my 
> thoughts here to understand where I'm missing the point. If this does 
> not belong to this list, I'd be happy to get your answer via private mail.

No, I think it's fine to have it here.  Sorry to reply late; I've been
away the last week.

Regards,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone forever?, Ian Jackson <=