[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass

To: Markus Armbruster <armbru@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Fri, 30 May 2008 14:37:29 +0100
Cc: Eren TÃrkay <turkay.eren@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 30 May 2008 06:38:01 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Markus Armbruster writes ("Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk 
Format Security Bypass"):
> I'm looking at xen-unstable cset 17606 and 17646.  If I understand
> your patches correctly, you attack the security problem in two places:
> 
> (1) make format probing never return raw, and

Right.  That's a safety catch so that there's no vulnerability in any
cases I missed, of which I was definitely expecting some.

> (2) provide means to specify the format explicitly, bypassing probing.
> 
> You put (2) in xenstore_parse_domain_config().  I can see how that
> works for block devices defined in the domain configuration.  But what
> about USB disks?  I created a guest with the following settings:
...
> The -usbdevice argument is ultimately processed by usb_device_add(),
> which calls usb_msd_init() to do the real work.  I think we get (1),
> but not (2) there, i.e. your change breaks raw format USB disks.

That's quite likely.  I hadn't spotted that separate arrangement.  The
best thing to do would be probably be to cross-port the format
parameter code which upstream have introduced in this area to (mostly)
fix the bug in their version.  I'll look into it.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Eren TÃrkay
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Ian Jackson
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Daniel P. Berrange
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Ian Jackson
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Daniel P. Berrange
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Ian Jackson
- Re: [Xen-devel] QEMU "drive_init()" Disk Format Security Bypass
  - From: Daniel P. Berrange
- [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass
  - From: Markus Armbruster

Prev by Date: [Xen-devel] Xen/paravirt_ops page on Xen wiki
Next by Date: Re: [Xen-devel] Finer access control framework over users, domains and operations.
Previous by thread: Re: [Xen-devel] [PATCH] QEMU "drive_init()" Disk Format Security Bypass
Next by thread: [Xen-devel] [PATCH] stubdom: let lwIP check TCP sums as they are now correct
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.