[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing file support gone forever?



Martin Troester writes ("Re: [Xen-devel] Xen 3.4.1 and QCOW - sparse backing 
file support gone  forever?"):
> Ian Jackson wrote:
> > If it works for you then your system may have a security problem.  I
> > haven't analysed this use case in detail and it would depend on the
> > exact structure of your storage.
...
> Assuming I offer a user a virtual machine with a qcow2 image backed by 
> another qcow2 image which is ultimately backed by a raw image, how would 
> a user ever get the possibility to modify the first part of the raw 
> image to resemble a qcow header? This seems to be the point where I have 
> problems following your scenario. 

Ah, yes, you are right.  I think your case is safe - provided your
base images are only ever constructed by you.  But if you ever (for
example) fold changes from the upper layers back into the raw base
image and then use that as the new base, you're vulnerable again; or
if you ever accept a raw image from someone else (for testing, say).
So it's possible to avoid the problem by carefully restricting the
operations you perform, but it's hazardous because you need to be
constantly watchful.

Unfortunately to make your case work without reintroducing the
vulnerability for users with simple raw images is not trivial, because
as I say the information about what format is expected (and the
context, which might show that it was safe).

So I would suggest that the best thing for you to do would be to carry
the local change to undo the security fix, and be very careful about
how you use your images.

> I hope I'm not making a fool of myself here, but I thought I'd put my 
> thoughts here to understand where I'm missing the point. If this does 
> not belong to this list, I'd be happy to get your answer via private mail.

No, I think it's fine to have it here.  Sorry to reply late; I've been
away the last week.

Regards,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.