diff options
author | Kevin Wolf <kwolf@redhat.com> | 2024-04-11 15:06:01 +0200 |
---|---|---|
committer | Kevin Wolf <kwolf@redhat.com> | 2024-07-02 18:09:51 +0200 |
commit | bd385a5298d7062668e804d73944d52aec9549f1 (patch) | |
tree | 413d1d8b7504c38c39eea88859c02b96910827dc /block | |
parent | c80a339587fe4148292c260716482dd2f86d4476 (diff) | |
download | qemu-bd385a5298d7062668e804d73944d52aec9549f1.zip qemu-bd385a5298d7062668e804d73944d52aec9549f1.tar.gz qemu-bd385a5298d7062668e804d73944d52aec9549f1.tar.bz2 |
qcow2: Don't open data_file with BDRV_O_NO_IO
One use case for 'qemu-img info' is verifying that untrusted images
don't reference an unwanted external file, be it as a backing file or an
external data file. To make sure that calling 'qemu-img info' can't
already have undesired side effects with a malicious image, just don't
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
I/O, we don't need to have it open.
This changes the output of iotests case 061, which used 'qemu-img info'
to show that opening an image with an invalid data file fails. After
this patch, it succeeds. Replace this part of the test with a qemu-io
call, but keep the final 'qemu-img info' to show that the invalid data
file is correctly displayed in the output.
Fixes: CVE-2024-4467
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Diffstat (limited to 'block')
-rw-r--r-- | block/qcow2.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/block/qcow2.c b/block/qcow2.c index 10883a2..70b1973 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags, goto fail; } - if (open_data_file) { + if (open_data_file && (flags & BDRV_O_NO_IO)) { + /* + * Don't open the data file for 'qemu-img info' so that it can be used + * to verify that an untrusted qcow2 image doesn't refer to external + * files. + * + * Note: This still makes has_data_file() return true. + */ + if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) { + s->data_file = NULL; + } else { + s->data_file = bs->file; + } + qdict_extract_subqdict(options, NULL, "data-file."); + qdict_del(options, "data-file"); + } else if (open_data_file) { /* Open external data file */ bdrv_graph_co_rdunlock(); s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs, |