fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/block
History
Eric Blake 2e909d7ca9 qcow2, vmdk: Restrict creation with secondary file using protocol 
Ever since CVE-2024-4467 (see commit 7ead9469 in qemu v9.1.0), we have
intentionally treated the opening of secondary files whose name is
specified in the contents of the primary file, such as a qcow2
data_file, as something that must be a local file and not a protocol
prefix (it is still possible to open a qcow2 file that wraps an NBD
data image by using QMP commands, but that is from the explicit action
of the QMP overriding any string encoded in the qcow2 file).  At the
time, we did not prevent the use of protocol prefixes on the secondary
image while creating a qcow2 file, but it results in a qcow2 file that
records an empty string for the data_file, rather than the protocol
passed in during creation:

$ qemu-img create -f raw datastore.raw 2G
$ qemu-nbd -e 0 -t -f raw datastore.raw &
$ qemu-img create -f qcow2 -o data_file=nbd://localhost:10809/ \
  datastore_nbd.qcow2 2G
Formatting 'datastore_nbd.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2147483648 data_file=nbd://localhost:10809/ lazy_refcounts=off refcount_bits=16
$ qemu-img info datastore_nbd.qcow2 | grep data
$ qemu-img info datastore_nbd.qcow2 | grep data
image: datastore_nbd.qcow2
    data file:
    data file raw: false
    filename: datastore_nbd.qcow2

And since an empty string was recorded in the file, attempting to open
the image without using QMP to supply the NBD data store fails, with a
somewhat confusing error message:

$ qemu-io -f qcow2 datastore_nbd.qcow2
qemu-io: can't open device datastore_nbd.qcow2: The 'file' block driver requires a file name

Although the ability to create an image with a convenience reference
to a protocol data file is not a security hole (unlike the case with
open, the image is not untrusted if we are the ones creating it), the
above demo shows that it is still inconsistent.  Thus, it makes more
sense if we also insist that image creation rejects a protocol prefix
when using the same syntax.  Now, the above attempt produces:

$ qemu-img create -f qcow2 -o data_file=nbd://localhost:10809/ \
  datastore_nbd.qcow2 2G
Formatting 'datastore_nbd.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2147483648 data_file=nbd://localhost:10809/ lazy_refcounts=off refcount_bits=16
qemu-img: datastore_nbd.qcow2: Could not create 'nbd://localhost:10809/': No such file or directory

with datastore_nbd.qcow2 no longer created.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20250915213919.3121401-6-eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2025-11-11 22:06:09 +01:00
..
export block/export: Add option to allow export of inactive nodes 2025-02-06 14:46:40 +01:00
monitor block/monitor: Use hmp_handle_error to report error 2025-10-29 12:10:09 +01:00
accounting.c block: enable stats-intervals for storage devices 2025-10-29 12:10:09 +01:00
aio_task.c block: Remove unused aio_task_pool_empty 2024-09-30 10:53:18 +03:00
amend.c block: Mark BlockDriver callbacks for amend job GRAPH_RDLOCK 2023-05-10 14:16:54 +02:00
backup.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
blkdebug.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
blkio.c include/system: Move exec/memory.h to system/memory.h 2025-04-23 14:08:21 -07:00
blklogwrites.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
blkreplay.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
blkverify.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
block-backend.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
block-copy.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
block-gen.h block-coroutine-wrapper.py: support also basic return types 2022-12-15 16:07:43 +01:00
block-ram-registrar.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
bochs.c block: replace TABs with space 2025-11-11 22:06:09 +01:00
cloop.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
commit.c block/commit: mark commit_abort() as GRAPH_UNLOCKED 2025-07-14 15:42:13 +02:00
copy-before-write.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
copy-before-write.h blockdev-backup: Add error handling option for copy-before-write jobs 2025-05-12 18:19:31 +03:00
copy-on-read.c qapi: Move include/qapi/qmp/ to include/qobject/ 2025-02-10 15:33:16 +01:00
copy-on-read.h block: Mark bdrv_(un)freeze_backing_chain() and callers GRAPH_RDLOCK 2023-11-07 19:14:19 +01:00
coroutines.h block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
create.c qemu/compiler: Absorb 'clang-tsa.h' 2025-03-06 14:21:25 +01:00
crypto.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
crypto.h block: Support detached LUKS header creation using qemu-img 2024-02-09 12:50:37 +00:00
curl.c block/curl.c: Fix CURLOPT_VERBOSE parameter type 2025-10-29 12:10:09 +01:00
dirty-bitmap.c block: Mark bdrv_*_dirty_bitmap() and callers GRAPH_RDLOCK 2023-02-23 19:49:32 +01:00
dmg-bz2.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
dmg-lzfse.c block/dmg: Ignore C99 prototype declaration mismatch from <lzfse.h> 2023-03-30 15:03:36 +02:00
dmg.c block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
dmg.h block/dmg: Declare a type definition for DMG uncompress function 2023-04-24 13:53:44 -04:00
file-posix.c block: replace TABs with space 2025-11-11 22:06:09 +01:00
file-win32.c block: replace TABs with space 2025-11-11 22:06:09 +01:00
filter-compress.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
gluster.c file-posix, gluster: Handle zero block status hint better 2025-05-14 15:49:27 -05:00
graph-lock.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
io.c block: make bdrv_co_parent_cb_resize() a proper IO API function 2025-10-29 12:10:09 +01:00
io_uring.c block/io_uring: use non-vectored read/write when possible 2025-11-11 22:06:09 +01:00
iscsi-opts.c modules: add block module annotations 2021-07-09 18:20:27 +02:00
iscsi.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
linux-aio.c block: skip automatic zero-init of large array in ioq_submit 2025-06-12 13:39:08 -04:00
meson.build include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
mirror.c block: drop wrapper for bdrv_set_backing_hd_drained() 2025-07-14 15:41:58 +02:00
nbd.c treewide: handle result of qio_channel_set_blocking() 2025-09-19 12:46:07 +01:00
nfs.c qapi: Move include/qapi/qmp/ to include/qobject/ 2025-02-10 15:33:16 +01:00
null.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
nvme.c block/nvme: Use host PCI MMIO API 2025-05-08 10:21:10 -04:00
parallels-ext.c qapi/crypto: Rename QCryptoHashAlgorithm to *Algo, and drop prefix 2024-09-10 14:02:16 +02:00
parallels.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
parallels.h block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
preallocate.c block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
progress_meter.c coroutine: Clean up superfluous inclusion of qemu/lockable.h 2023-01-19 10:18:28 +01:00
qapi-system.c qapi: Move include/qapi/qmp/ to include/qobject/ 2025-02-10 15:33:16 +01:00
qapi.c qemu-img info: Optionally show block limits 2025-10-29 12:10:10 +01:00
qcow.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
qcow2-bitmap.c block/qcow2-bitmap: Replace g_memdup() by g_memdup2() 2024-05-08 19:11:34 +02:00
qcow2-cache.c qcow2: Mark qcow2_signal_corruption() and callers GRAPH_RDLOCK 2023-10-12 16:31:33 +02:00
qcow2-cluster.c qcow2: put discards in discard queue when discard-no-unref is enabled 2025-11-11 22:06:09 +01:00
qcow2-refcount.c qcow2: put discards in discard queue when discard-no-unref is enabled 2025-11-11 22:06:09 +01:00
qcow2-snapshot.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
qcow2-threads.c thread-pool: avoid passing the pool parameter every time 2023-04-25 13:17:28 +02:00
qcow2.c qcow2, vmdk: Restrict creation with secondary file using protocol 2025-11-11 22:06:09 +01:00
qcow2.h qcow2: put discards in discard queue when discard-no-unref is enabled 2025-11-11 22:06:09 +01:00
qed-check.c qed: mark more functions as coroutine_fns and GRAPH_RDLOCK 2023-06-28 09:46:20 +02:00
qed-cluster.c qed: protect table cache with CoMutex 2017-07-17 11:34:11 +08:00
qed-l2-cache.c osdep: Move memalign-related functions to their own header 2022-03-07 13:16:49 +00:00
qed-table.c block: use bdrv_co_debug_event in coroutine context 2023-06-28 09:46:34 +02:00
qed.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
qed.h block: Protect bs->file with graph_lock 2023-11-08 17:56:18 +01:00
quorum.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
raw-format.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
rbd.c rbd: Fix .bdrv_get_specific_info implementation 2025-08-12 14:59:39 +02:00
replication.c block: mark bdrv_reopen_queue() and bdrv_reopen_multiple() as GRAPH_UNLOCKED 2025-07-14 15:42:05 +02:00
reqlist.c block/reqlist: allow adding overlapping requests 2024-09-30 10:53:18 +03:00
snapshot-access.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
snapshot.c block: add bdrv_graph_wrlock_drained() convenience wrapper 2025-07-14 15:40:58 +02:00
ssh.c qapi: Move include/qapi/qmp/ to include/qobject/ 2025-02-10 15:33:16 +01:00
stream.c block/stream: mark stream_prepare() as GRAPH_UNLOCKED 2025-07-14 15:42:04 +02:00
throttle-groups.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
throttle.c block: Take graph lock for most of .bdrv_open 2023-11-08 17:56:18 +01:00
trace-events block/io_uring: use aio_add_sqe() 2025-11-11 22:06:09 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vdi.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
vhdx-endian.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
vhdx-log.c vhdx: Take locks for accessing bs->file 2023-11-08 17:56:18 +01:00
vhdx.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
vhdx.h vhdx: Take locks for accessing bs->file 2023-11-08 17:56:18 +01:00
vmdk.c qcow2, vmdk: Restrict creation with secondary file using protocol 2025-11-11 22:06:09 +01:00
vpc.c block: Allow drivers to control protocol prefix at creation 2025-11-11 22:06:09 +01:00
vvfat.c block: Expand block status mode from bool to flags 2025-05-14 15:33:34 -05:00
win32-aio.c aio: remove aio_disable_external() API 2023-05-30 17:37:26 +02:00
write-threshold.c block: remove AioContext locking 2023-12-21 22:49:27 +01:00