0dd8f840c7
- vdpa: Fix bug where vdpa appliance migration does not resume after rollback - block: Parse filenames only when explicitly requested (CVE-2024-4467) - block: introduce bdrv_open_file_child() helper - iotests/270: Don't store data-file with json: prefix in image (CVE-2024-4467) - iotests/244: Don't store data-file with protocol in image (CVE-2024-4467) - qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467) - qcow2: Do not reopen data_file in invalidate_cache - hw/intc/arm_gic: Fix deactivation of SPI lines chery-pick from 7175a562f157d39725ab396e39c1e8e410d206b3 - vhost-user: Skip unnecessary duplicated VHOST_USER_SET_LOG_BASE requests - target/ppc: Split off common embedded TLB init cheery-pick from 581eea5d656b73c6532109f4ced4c73fd4e5fd47` - vdpa: fix vdpa device migrate rollback wrong when suspend device failed 1. - hw/virtio/virtio-pci:Support shadow device for virtio-net/blk/scsi devices Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit ad45062d44e901468eeb8c4ac0729587daaa1e1f)
109 lines
4.7 KiB
Diff
109 lines
4.7 KiB
Diff
From 6dc46edd6ebe051b181e04aa6929d46b8cbc70ba Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Thu, 11 Apr 2024 15:06:01 +0200
|
|
Subject: [PATCH] qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467)
|
|
|
|
One use case for 'qemu-img info' is verifying that untrusted images
|
|
don't reference an unwanted external file, be it as a backing file or an
|
|
external data file. To make sure that calling 'qemu-img info' can't
|
|
already have undesired side effects with a malicious image, just don't
|
|
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
|
|
I/O, we don't need to have it open.
|
|
|
|
This changes the output of iotests case 061, which used 'qemu-img info'
|
|
to show that opening an image with an invalid data file fails. After
|
|
this patch, it succeeds. Replace this part of the test with a qemu-io
|
|
call, but keep the final 'qemu-img info' to show that the invalid data
|
|
file is correctly displayed in the output.
|
|
|
|
Fixes: CVE-2024-4467
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
|
---
|
|
block/qcow2.c | 17 ++++++++++++++++-
|
|
tests/qemu-iotests/061 | 6 ++++--
|
|
tests/qemu-iotests/061.out | 8 ++++++--
|
|
3 files changed, 26 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/block/qcow2.c b/block/qcow2.c
|
|
index 4a6b0a3ea9..af1e94f2e2 100644
|
|
--- a/block/qcow2.c
|
|
+++ b/block/qcow2.c
|
|
@@ -1615,7 +1615,22 @@ static int coroutine_fn qcow2_do_open(BlockDriverState *bs, QDict *options,
|
|
goto fail;
|
|
}
|
|
|
|
- if (open_data_file) {
|
|
+ if (open_data_file && (flags & BDRV_O_NO_IO)) {
|
|
+ /*
|
|
+ * Don't open the data file for 'qemu-img info' so that it can be used
|
|
+ * to verify that an untrusted qcow2 image doesn't refer to external
|
|
+ * files.
|
|
+ *
|
|
+ * Note: This still makes has_data_file() return true.
|
|
+ */
|
|
+ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
|
|
+ s->data_file = NULL;
|
|
+ } else {
|
|
+ s->data_file = bs->file;
|
|
+ }
|
|
+ qdict_extract_subqdict(options, NULL, "data-file.");
|
|
+ qdict_del(options, "data-file");
|
|
+ } else if (open_data_file) {
|
|
/* Open external data file */
|
|
s->data_file = bdrv_open_child(NULL, options, "data-file", bs,
|
|
&child_of_bds, BDRV_CHILD_DATA,
|
|
diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
|
|
index 9507c223bd..6a5bd47efc 100755
|
|
--- a/tests/qemu-iotests/061
|
|
+++ b/tests/qemu-iotests/061
|
|
@@ -322,12 +322,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
|
echo
|
|
_make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
|
|
$QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
|
-_img_info --format-specific
|
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
|
|
|
echo
|
|
$QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
|
|
-_img_info --format-specific
|
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
|
|
|
echo
|
|
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
|
|
index 7ecbd4dea8..99b2307a23 100644
|
|
--- a/tests/qemu-iotests/061.out
|
|
+++ b/tests/qemu-iotests/061.out
|
|
@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
|
qemu-img: data-file can only be set for images that use an external data file
|
|
|
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
|
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
|
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
|
|
+read 4096/4096 bytes at offset 0
|
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
image: TEST_DIR/t.IMGFMT
|
|
file format: IMGFMT
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
@@ -560,7 +562,9 @@ Format specific information:
|
|
corrupt: false
|
|
extended l2: false
|
|
|
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
|
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
|
|
+read 4096/4096 bytes at offset 0
|
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
image: TEST_DIR/t.IMGFMT
|
|
file format: IMGFMT
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
--
|
|
2.41.0.windows.1
|
|
|