i9
changed/i9/qemu-kvm-8.2.0-11.el9_4.4.inferit
commit
d1ce816bff
@ -0,0 +1,260 @@
|
|||||||
|
From 5c35b7d631e9cdf75512b9e1a0b5d48e8fd768d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
Date: Wed, 5 Jun 2024 19:56:51 -0400
|
||||||
|
Subject: [PATCH 4/4] block: Parse filenames only when explicitly requested
|
||||||
|
|
||||||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-MergeRequest: 2: EMBARGOED CVE-2024-4467 for rhel-9.4.z (PRDSC)
|
||||||
|
RH-Jira: https://issues.redhat.com/browse/RHEL-35610
|
||||||
|
RH-CVE: CVE-2024-4467
|
||||||
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
RH-Acked-by: Hanna Czenczek <hczenczek@redhat.com>
|
||||||
|
RH-Commit: [4/4] 6f71e6a07bd5a9f8352db920f498f5fa5a2cdbfb
|
||||||
|
|
||||||
|
commit f44c2941d4419e60f16dea3e9adca164e75aa78d (origin/cve-2024-4467-hreitz-rhel-9.5.0)
|
||||||
|
Author: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Thu Apr 25 14:56:02 2024 +0200
|
||||||
|
|
||||||
|
block: Parse filenames only when explicitly requested
|
||||||
|
|
||||||
|
When handling image filenames from legacy options such as -drive or from
|
||||||
|
tools, these filenames are parsed for protocol prefixes, including for
|
||||||
|
the json:{} pseudo-protocol.
|
||||||
|
|
||||||
|
This behaviour is intended for filenames that come directly from the
|
||||||
|
command line and for backing files, which may come from the image file
|
||||||
|
itself. Higher level management tools generally take care to verify that
|
||||||
|
untrusted images don't contain a bad (or any) backing file reference;
|
||||||
|
'qemu-img info' is a suitable tool for this.
|
||||||
|
|
||||||
|
However, for other files that can be referenced in images, such as
|
||||||
|
qcow2 data files or VMDK extents, the string from the image file is
|
||||||
|
usually not verified by management tools - and 'qemu-img info' wouldn't
|
||||||
|
be suitable because in contrast to backing files, it already opens these
|
||||||
|
other referenced files. So here the string should be interpreted as a
|
||||||
|
literal local filename. More complex configurations need to be specified
|
||||||
|
explicitly on the command line or in QMP.
|
||||||
|
|
||||||
|
This patch changes bdrv_open_inherit() so that it only parses filenames
|
||||||
|
if a new parameter parse_filename is true. It is set for the top level
|
||||||
|
in bdrv_open(), for the file child and for the backing file child. All
|
||||||
|
other callers pass false and disable filename parsing this way.
|
||||||
|
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
Upstream: N/A, embargoed
|
||||||
|
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
---
|
||||||
|
block.c | 90 ++++++++++++++++++++++++++++++++++++---------------------
|
||||||
|
1 file changed, 57 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/block.c b/block.c
|
||||||
|
index a097772238..8b6aa4a65c 100644
|
||||||
|
--- a/block.c
|
||||||
|
+++ b/block.c
|
||||||
|
@@ -86,6 +86,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
|
||||||
|
BlockDriverState *parent,
|
||||||
|
const BdrvChildClass *child_class,
|
||||||
|
BdrvChildRole child_role,
|
||||||
|
+ bool parse_filename,
|
||||||
|
Error **errp);
|
||||||
|
|
||||||
|
static bool bdrv_recurse_has_child(BlockDriverState *bs,
|
||||||
|
@@ -2035,7 +2036,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename,
|
||||||
|
* block driver has been specified explicitly.
|
||||||
|
*/
|
||||||
|
static int bdrv_fill_options(QDict **options, const char *filename,
|
||||||
|
- int *flags, Error **errp)
|
||||||
|
+ int *flags, bool allow_parse_filename,
|
||||||
|
+ Error **errp)
|
||||||
|
{
|
||||||
|
const char *drvname;
|
||||||
|
bool protocol = *flags & BDRV_O_PROTOCOL;
|
||||||
|
@@ -2077,7 +2079,7 @@ static int bdrv_fill_options(QDict **options, const char *filename,
|
||||||
|
if (protocol && filename) {
|
||||||
|
if (!qdict_haskey(*options, "filename")) {
|
||||||
|
qdict_put_str(*options, "filename", filename);
|
||||||
|
- parse_filename = true;
|
||||||
|
+ parse_filename = allow_parse_filename;
|
||||||
|
} else {
|
||||||
|
error_setg(errp, "Can't specify 'file' and 'filename' options at "
|
||||||
|
"the same time");
|
||||||
|
@@ -3639,7 +3641,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options,
|
||||||
|
}
|
||||||
|
|
||||||
|
backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs,
|
||||||
|
- &child_of_bds, bdrv_backing_role(bs), errp);
|
||||||
|
+ &child_of_bds, bdrv_backing_role(bs), true,
|
||||||
|
+ errp);
|
||||||
|
if (!backing_hd) {
|
||||||
|
bs->open_flags |= BDRV_O_NO_BACKING;
|
||||||
|
error_prepend(errp, "Could not open backing file: ");
|
||||||
|
@@ -3673,7 +3676,8 @@ free_exit:
|
||||||
|
static BlockDriverState *
|
||||||
|
bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
|
||||||
|
BlockDriverState *parent, const BdrvChildClass *child_class,
|
||||||
|
- BdrvChildRole child_role, bool allow_none, Error **errp)
|
||||||
|
+ BdrvChildRole child_role, bool allow_none,
|
||||||
|
+ bool parse_filename, Error **errp)
|
||||||
|
{
|
||||||
|
BlockDriverState *bs = NULL;
|
||||||
|
QDict *image_options;
|
||||||
|
@@ -3704,7 +3708,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key,
|
||||||
|
}
|
||||||
|
|
||||||
|
bs = bdrv_open_inherit(filename, reference, image_options, 0,
|
||||||
|
- parent, child_class, child_role, errp);
|
||||||
|
+ parent, child_class, child_role, parse_filename,
|
||||||
|
+ errp);
|
||||||
|
if (!bs) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -3714,6 +3719,33 @@ done:
|
||||||
|
return bs;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static BdrvChild *bdrv_open_child_common(const char *filename,
|
||||||
|
+ QDict *options, const char *bdref_key,
|
||||||
|
+ BlockDriverState *parent,
|
||||||
|
+ const BdrvChildClass *child_class,
|
||||||
|
+ BdrvChildRole child_role,
|
||||||
|
+ bool allow_none, bool parse_filename,
|
||||||
|
+ Error **errp)
|
||||||
|
+{
|
||||||
|
+ BlockDriverState *bs;
|
||||||
|
+ BdrvChild *child;
|
||||||
|
+
|
||||||
|
+ GLOBAL_STATE_CODE();
|
||||||
|
+
|
||||||
|
+ bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
|
||||||
|
+ child_role, allow_none, parse_filename, errp);
|
||||||
|
+ if (bs == NULL) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ bdrv_graph_wrlock();
|
||||||
|
+ child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
|
||||||
|
+ errp);
|
||||||
|
+ bdrv_graph_wrunlock();
|
||||||
|
+
|
||||||
|
+ return child;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Opens a disk image whose options are given as BlockdevRef in another block
|
||||||
|
* device's options.
|
||||||
|
@@ -3737,27 +3769,15 @@ BdrvChild *bdrv_open_child(const char *filename,
|
||||||
|
BdrvChildRole child_role,
|
||||||
|
bool allow_none, Error **errp)
|
||||||
|
{
|
||||||
|
- BlockDriverState *bs;
|
||||||
|
- BdrvChild *child;
|
||||||
|
-
|
||||||
|
- GLOBAL_STATE_CODE();
|
||||||
|
-
|
||||||
|
- bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class,
|
||||||
|
- child_role, allow_none, errp);
|
||||||
|
- if (bs == NULL) {
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- bdrv_graph_wrlock();
|
||||||
|
- child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role,
|
||||||
|
- errp);
|
||||||
|
- bdrv_graph_wrunlock();
|
||||||
|
-
|
||||||
|
- return child;
|
||||||
|
+ return bdrv_open_child_common(filename, options, bdref_key, parent,
|
||||||
|
+ child_class, child_role, allow_none, false,
|
||||||
|
+ errp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs.
|
||||||
|
+ * This does mostly the same as bdrv_open_child(), but for opening the primary
|
||||||
|
+ * child of a node. A notable difference from bdrv_open_child() is that it
|
||||||
|
+ * enables filename parsing for protocol names (including json:).
|
||||||
|
*
|
||||||
|
* @parent can move to a different AioContext in this function.
|
||||||
|
*/
|
||||||
|
@@ -3772,8 +3792,8 @@ int bdrv_open_file_child(const char *filename,
|
||||||
|
role = parent->drv->is_filter ?
|
||||||
|
(BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE;
|
||||||
|
|
||||||
|
- if (!bdrv_open_child(filename, options, bdref_key, parent,
|
||||||
|
- &child_of_bds, role, false, errp))
|
||||||
|
+ if (!bdrv_open_child_common(filename, options, bdref_key, parent,
|
||||||
|
+ &child_of_bds, role, false, true, errp))
|
||||||
|
{
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
@@ -3818,7 +3838,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
- bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp);
|
||||||
|
+ bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false,
|
||||||
|
+ errp);
|
||||||
|
obj = NULL;
|
||||||
|
qobject_unref(obj);
|
||||||
|
visit_free(v);
|
||||||
|
@@ -3907,7 +3928,7 @@ static BlockDriverState * no_coroutine_fn
|
||||||
|
bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
|
||||||
|
int flags, BlockDriverState *parent,
|
||||||
|
const BdrvChildClass *child_class, BdrvChildRole child_role,
|
||||||
|
- Error **errp)
|
||||||
|
+ bool parse_filename, Error **errp)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
BlockBackend *file = NULL;
|
||||||
|
@@ -3955,9 +3976,11 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* json: syntax counts as explicit options, as if in the QDict */
|
||||||
|
- parse_json_protocol(options, &filename, &local_err);
|
||||||
|
- if (local_err) {
|
||||||
|
- goto fail;
|
||||||
|
+ if (parse_filename) {
|
||||||
|
+ parse_json_protocol(options, &filename, &local_err);
|
||||||
|
+ if (local_err) {
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
bs->explicit_options = qdict_clone_shallow(options);
|
||||||
|
@@ -3982,7 +4005,8 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
|
||||||
|
parent->open_flags, parent->options);
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = bdrv_fill_options(&options, filename, &flags, &local_err);
|
||||||
|
+ ret = bdrv_fill_options(&options, filename, &flags, parse_filename,
|
||||||
|
+ &local_err);
|
||||||
|
if (ret < 0) {
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
@@ -4051,7 +4075,7 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options,
|
||||||
|
|
||||||
|
file_bs = bdrv_open_child_bs(filename, options, "file", bs,
|
||||||
|
&child_of_bds, BDRV_CHILD_IMAGE,
|
||||||
|
- true, &local_err);
|
||||||
|
+ true, true, &local_err);
|
||||||
|
if (local_err) {
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
@@ -4200,7 +4224,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference,
|
||||||
|
GLOBAL_STATE_CODE();
|
||||||
|
|
||||||
|
return bdrv_open_inherit(filename, reference, options, flags, NULL,
|
||||||
|
- NULL, 0, errp);
|
||||||
|
+ NULL, 0, true, errp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Return true if the NULL-terminated @list contains @str */
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,69 @@
|
|||||||
|
From c2eafeb32a256cbafb0e65c0380acb478181326e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
Date: Wed, 5 Jun 2024 19:56:51 -0400
|
||||||
|
Subject: [PATCH 2/4] iotests/244: Don't store data-file with protocol in image
|
||||||
|
|
||||||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-MergeRequest: 2: EMBARGOED CVE-2024-4467 for rhel-9.4.z (PRDSC)
|
||||||
|
RH-Jira: https://issues.redhat.com/browse/RHEL-35610
|
||||||
|
RH-CVE: CVE-2024-4467
|
||||||
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
RH-Acked-by: Hanna Czenczek <hczenczek@redhat.com>
|
||||||
|
RH-Commit: [2/4] ddef095945aa55bb0aacc2a2cb58f9e12ad20d5e
|
||||||
|
|
||||||
|
commit 92e00dab8be1570b13172353d77d2af44cb4e22b
|
||||||
|
Author: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Thu Apr 25 14:49:40 2024 +0200
|
||||||
|
|
||||||
|
iotests/244: Don't store data-file with protocol in image
|
||||||
|
|
||||||
|
We want to disable filename parsing for data files because it's too easy
|
||||||
|
to abuse in malicious image files. Make the test ready for the change by
|
||||||
|
passing the data file explicitly in command line options.
|
||||||
|
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
Upstream: N/A, embargoed
|
||||||
|
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
---
|
||||||
|
tests/qemu-iotests/244 | 19 ++++++++++++++++---
|
||||||
|
1 file changed, 16 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244
|
||||||
|
index 3e61fa25bb..bb9cc6512f 100755
|
||||||
|
--- a/tests/qemu-iotests/244
|
||||||
|
+++ b/tests/qemu-iotests/244
|
||||||
|
@@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
|
||||||
|
$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
|
||||||
|
|
||||||
|
# blkdebug doesn't support copy offloading, so this tests the error path
|
||||||
|
-$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG"
|
||||||
|
-$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
|
||||||
|
-$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
|
||||||
|
+test_img_with_blkdebug="json:{
|
||||||
|
+ 'driver': 'qcow2',
|
||||||
|
+ 'file': {
|
||||||
|
+ 'driver': 'file',
|
||||||
|
+ 'filename': '$TEST_IMG'
|
||||||
|
+ },
|
||||||
|
+ 'data-file': {
|
||||||
|
+ 'driver': 'blkdebug',
|
||||||
|
+ 'image': {
|
||||||
|
+ 'driver': 'file',
|
||||||
|
+ 'filename': '$TEST_IMG.data'
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}"
|
||||||
|
+$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_with_blkdebug"
|
||||||
|
+$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_blkdebug"
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "=== Flushing should flush the data file ==="
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,72 @@
|
|||||||
|
From 931ab59f39b5e3551b328fe5b0f872df7a19ba05 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
Date: Wed, 5 Jun 2024 19:56:51 -0400
|
||||||
|
Subject: [PATCH 3/4] iotests/270: Don't store data-file with json: prefix in
|
||||||
|
image
|
||||||
|
|
||||||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-MergeRequest: 2: EMBARGOED CVE-2024-4467 for rhel-9.4.z (PRDSC)
|
||||||
|
RH-Jira: https://issues.redhat.com/browse/RHEL-35610
|
||||||
|
RH-CVE: CVE-2024-4467
|
||||||
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
RH-Acked-by: Hanna Czenczek <hczenczek@redhat.com>
|
||||||
|
RH-Commit: [3/4] 7a9844fd48e3f3c4d1711ea4fb671c795ca4a1c1
|
||||||
|
|
||||||
|
commit 705bcc2819ce8e0f8b9d660a93bc48de26413aec
|
||||||
|
Author: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Thu Apr 25 14:49:40 2024 +0200
|
||||||
|
|
||||||
|
iotests/270: Don't store data-file with json: prefix in image
|
||||||
|
|
||||||
|
We want to disable filename parsing for data files because it's too easy
|
||||||
|
to abuse in malicious image files. Make the test ready for the change by
|
||||||
|
passing the data file explicitly in command line options.
|
||||||
|
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
Upstream: N/A, embargoed
|
||||||
|
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
---
|
||||||
|
tests/qemu-iotests/270 | 14 +++++++++++---
|
||||||
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270
|
||||||
|
index 74352342db..c37b674aa2 100755
|
||||||
|
--- a/tests/qemu-iotests/270
|
||||||
|
+++ b/tests/qemu-iotests/270
|
||||||
|
@@ -60,8 +60,16 @@ _make_test_img -o cluster_size=2M,data_file="$TEST_IMG.orig" \
|
||||||
|
# "write" 2G of data without using any space.
|
||||||
|
# (qemu-img create does not like it, though, because null-co does not
|
||||||
|
# support image creation.)
|
||||||
|
-$QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
|
||||||
|
- "$TEST_IMG"
|
||||||
|
+test_img_with_null_data="json:{
|
||||||
|
+ 'driver': '$IMGFMT',
|
||||||
|
+ 'file': {
|
||||||
|
+ 'filename': '$TEST_IMG'
|
||||||
|
+ },
|
||||||
|
+ 'data-file': {
|
||||||
|
+ 'driver': 'null-co',
|
||||||
|
+ 'size':'4294967296'
|
||||||
|
+ }
|
||||||
|
+}"
|
||||||
|
|
||||||
|
# This gives us a range of:
|
||||||
|
# 2^31 - 512 + 768 - 1 = 2^31 + 255 > 2^31
|
||||||
|
@@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \
|
||||||
|
# on L2 boundaries, we need large L2 tables; hence the cluster size of
|
||||||
|
# 2 MB. (Anything from 256 kB should work, though, because then one L2
|
||||||
|
# table covers 8 GB.)
|
||||||
|
-$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io
|
||||||
|
+$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _filter_qemu_io
|
||||||
|
|
||||||
|
_check_test_img
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,125 @@
|
|||||||
|
From 6e39b4c13c0eacb35e81874b09e6b6411266c631 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
Date: Wed, 5 Jun 2024 19:56:51 -0400
|
||||||
|
Subject: [PATCH 1/4] qcow2: Don't open data_file with BDRV_O_NO_IO
|
||||||
|
|
||||||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-MergeRequest: 2: EMBARGOED CVE-2024-4467 for rhel-9.4.z (PRDSC)
|
||||||
|
RH-Jira: https://issues.redhat.com/browse/RHEL-35610
|
||||||
|
RH-CVE: CVE-2024-4467
|
||||||
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
RH-Acked-by: Hanna Czenczek <hczenczek@redhat.com>
|
||||||
|
RH-Commit: [1/4] 1000359b05c706f3c5155a9481692352be333129
|
||||||
|
|
||||||
|
commit f9843ce5c519901654a7d8ba43ee95ce25ca13c2
|
||||||
|
Author: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Thu Apr 11 15:06:01 2024 +0200
|
||||||
|
|
||||||
|
qcow2: Don't open data_file with BDRV_O_NO_IO
|
||||||
|
|
||||||
|
One use case for 'qemu-img info' is verifying that untrusted images
|
||||||
|
don't reference an unwanted external file, be it as a backing file or an
|
||||||
|
external data file. To make sure that calling 'qemu-img info' can't
|
||||||
|
already have undesired side effects with a malicious image, just don't
|
||||||
|
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
|
||||||
|
I/O, we don't need to have it open.
|
||||||
|
|
||||||
|
This changes the output of iotests case 061, which used 'qemu-img info'
|
||||||
|
to show that opening an image with an invalid data file fails. After
|
||||||
|
this patch, it succeeds. Replace this part of the test with a qemu-io
|
||||||
|
call, but keep the final 'qemu-img info' to show that the invalid data
|
||||||
|
file is correctly displayed in the output.
|
||||||
|
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
Upstream: N/A, embargoed
|
||||||
|
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
|
||||||
|
|
||||||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
---
|
||||||
|
block/qcow2.c | 17 ++++++++++++++++-
|
||||||
|
tests/qemu-iotests/061 | 6 ++++--
|
||||||
|
tests/qemu-iotests/061.out | 8 ++++++--
|
||||||
|
3 files changed, 26 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/block/qcow2.c b/block/qcow2.c
|
||||||
|
index d91b7b91d3..b269cfc78f 100644
|
||||||
|
--- a/block/qcow2.c
|
||||||
|
+++ b/block/qcow2.c
|
||||||
|
@@ -1642,7 +1642,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags,
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (open_data_file) {
|
||||||
|
+ if (open_data_file && (flags & BDRV_O_NO_IO)) {
|
||||||
|
+ /*
|
||||||
|
+ * Don't open the data file for 'qemu-img info' so that it can be used
|
||||||
|
+ * to verify that an untrusted qcow2 image doesn't refer to external
|
||||||
|
+ * files.
|
||||||
|
+ *
|
||||||
|
+ * Note: This still makes has_data_file() return true.
|
||||||
|
+ */
|
||||||
|
+ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
|
||||||
|
+ s->data_file = NULL;
|
||||||
|
+ } else {
|
||||||
|
+ s->data_file = bs->file;
|
||||||
|
+ }
|
||||||
|
+ qdict_extract_subqdict(options, NULL, "data-file.");
|
||||||
|
+ qdict_del(options, "data-file");
|
||||||
|
+ } else if (open_data_file) {
|
||||||
|
/* Open external data file */
|
||||||
|
bdrv_graph_co_rdunlock();
|
||||||
|
s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs,
|
||||||
|
diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
|
||||||
|
index 53c7d428e3..b71ac097d1 100755
|
||||||
|
--- a/tests/qemu-iotests/061
|
||||||
|
+++ b/tests/qemu-iotests/061
|
||||||
|
@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
||||||
|
echo
|
||||||
|
_make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
|
||||||
|
$QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
||||||
|
-_img_info --format-specific
|
||||||
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
||||||
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
||||||
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
||||||
|
|
||||||
|
echo
|
||||||
|
$QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
|
||||||
|
-_img_info --format-specific
|
||||||
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
||||||
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
||||||
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
||||||
|
|
||||||
|
echo
|
||||||
|
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
|
||||||
|
index 139fc68177..24c33add7c 100644
|
||||||
|
--- a/tests/qemu-iotests/061.out
|
||||||
|
+++ b/tests/qemu-iotests/061.out
|
||||||
|
@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
||||||
|
qemu-img: data-file can only be set for images that use an external data file
|
||||||
|
|
||||||
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
|
||||||
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
|
||||||
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
|
||||||
|
+read 4096/4096 bytes at offset 0
|
||||||
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||||||
|
image: TEST_DIR/t.IMGFMT
|
||||||
|
file format: IMGFMT
|
||||||
|
virtual size: 64 MiB (67108864 bytes)
|
||||||
|
@@ -560,7 +562,9 @@ Format specific information:
|
||||||
|
corrupt: false
|
||||||
|
extended l2: false
|
||||||
|
|
||||||
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
|
||||||
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
|
||||||
|
+read 4096/4096 bytes at offset 0
|
||||||
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||||||
|
image: TEST_DIR/t.IMGFMT
|
||||||
|
file format: IMGFMT
|
||||||
|
virtual size: 64 MiB (67108864 bytes)
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
Loading…
Reference in new issue