aboutsummaryrefslogtreecommitdiff
path: root/COPYING
diff options
context:
space:
mode:
authorEric Blake <eblake@redhat.com>2020-07-06 15:39:54 -0500
committerKevin Wolf <kwolf@redhat.com>2020-07-14 15:24:05 +0200
commitd9f059aa6cfccefaffa3532556e966df4a99ece2 (patch)
tree69a2d6efaaf6c34ea763794fa6d91672d2f1462a /COPYING
parente54ee1b385a9d084b4052b6db7391ea2fd799fa8 (diff)
downloadqemu-d9f059aa6cfccefaffa3532556e966df4a99ece2.zip
qemu-d9f059aa6cfccefaffa3532556e966df4a99ece2.tar.gz
qemu-d9f059aa6cfccefaffa3532556e966df4a99ece2.tar.bz2
qemu-img: Deprecate use of -b without -F
Creating an image that requires format probing of the backing image is potentially unsafe (we've had several CVEs over the years based on probes leaking information to the guest on a subsequent boot, although these days tools like libvirt are aware of the issue enough to prevent the worst effects). For example, if our probing algorithm ever changes, or if other tools like libvirt determine a different probe result than we do, then subsequent use of that backing file under a different format will present corrupted data to the guest. Fortunately, the worst effects occur only when the backing image is originally raw, and we at least prevent commit into a probed raw backing file that would change its probed type. Still, it is worth starting a deprecation clock so that future qemu-img can refuse to create backing chains that would rely on probing, to encourage clients to avoid unsafe practices. Most warnings are intentionally emitted from bdrv_img_create() in the block layer, but qemu-img convert uses bdrv_create() which cannot emit its own warning without causing spurious warnings on other code paths. In the end, all command-line image creation or backing file rewriting now performs a check. Furthermore, if we probe a backing file as non-raw, then it is safe to explicitly record that result (rather than relying on future probes); only where we probe a raw image do we care about further warnings to the user when using such an image (for example, commits into a probed-raw backing file are prevented), to help them improve their tooling. But whether or not we make the probe results explicit, we still warn the user to remind them to upgrade their workflow to supply -F always. iotest 114 specifically wants to create an unsafe image for later amendment rather than defaulting to our new default of recording a probed format, so it needs an update. While touching it, expand it to cover all of the various warnings enabled by this patch. iotest 301 also shows a change to qcow messages. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20200706203954.341758-11-eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions