e6031e7a4e
- kvm-qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO.patch [RHEL-46239] - kvm-iotests-244-Don-t-store-data-file-with-protocol-in-i.patch [RHEL-46239] - kvm-iotests-270-Don-t-store-data-file-with-json-prefix-i.patch [RHEL-46239] - kvm-block-Parse-filenames-only-when-explicitly-requested.patch [RHEL-46239] - Resolves: RHEL-46239 (CVE-2024-4467 qemu-kvm: QEMU: 'qemu-img info' leads to host file read/write [rhel-10.0])
118 lines
5.0 KiB
Diff
118 lines
5.0 KiB
Diff
From 57ec055ce7615d4838ae19c4980c2a1799c6cb3d Mon Sep 17 00:00:00 2001
|
|
From: Kevin Wolf <kwolf@redhat.com>
|
|
Date: Thu, 11 Apr 2024 15:06:01 +0200
|
|
Subject: [PATCH 1/4] qcow2: Don't open data_file with BDRV_O_NO_IO
|
|
|
|
RH-Author: Hana Czenczek <hczenczek@redhat.com>
|
|
RH-MergeRequest: 1: CVE 2024-4467 (PRDSC)
|
|
RH-Jira: RHEL-46239
|
|
RH-CVE: CVE-2024-4467
|
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
RH-Acked-by: Eric Blake <eblake@redhat.com>
|
|
RH-Commit: [1/4] f9843ce5c519901654a7d8ba43ee95ce25ca13c2
|
|
|
|
One use case for 'qemu-img info' is verifying that untrusted images
|
|
don't reference an unwanted external file, be it as a backing file or an
|
|
external data file. To make sure that calling 'qemu-img info' can't
|
|
already have undesired side effects with a malicious image, just don't
|
|
open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do
|
|
I/O, we don't need to have it open.
|
|
|
|
This changes the output of iotests case 061, which used 'qemu-img info'
|
|
to show that opening an image with an invalid data file fails. After
|
|
this patch, it succeeds. Replace this part of the test with a qemu-io
|
|
call, but keep the final 'qemu-img info' to show that the invalid data
|
|
file is correctly displayed in the output.
|
|
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
|
|
Upstream: N/A, embargoed
|
|
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
|
|
---
|
|
block/qcow2.c | 17 ++++++++++++++++-
|
|
tests/qemu-iotests/061 | 6 ++++--
|
|
tests/qemu-iotests/061.out | 8 ++++++--
|
|
3 files changed, 26 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/block/qcow2.c b/block/qcow2.c
|
|
index 0e8b2f7518..3b8d2db9f9 100644
|
|
--- a/block/qcow2.c
|
|
+++ b/block/qcow2.c
|
|
@@ -1642,7 +1642,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags,
|
|
goto fail;
|
|
}
|
|
|
|
- if (open_data_file) {
|
|
+ if (open_data_file && (flags & BDRV_O_NO_IO)) {
|
|
+ /*
|
|
+ * Don't open the data file for 'qemu-img info' so that it can be used
|
|
+ * to verify that an untrusted qcow2 image doesn't refer to external
|
|
+ * files.
|
|
+ *
|
|
+ * Note: This still makes has_data_file() return true.
|
|
+ */
|
|
+ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) {
|
|
+ s->data_file = NULL;
|
|
+ } else {
|
|
+ s->data_file = bs->file;
|
|
+ }
|
|
+ qdict_extract_subqdict(options, NULL, "data-file.");
|
|
+ qdict_del(options, "data-file");
|
|
+ } else if (open_data_file) {
|
|
/* Open external data file */
|
|
bdrv_graph_co_rdunlock();
|
|
s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs,
|
|
diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061
|
|
index 53c7d428e3..b71ac097d1 100755
|
|
--- a/tests/qemu-iotests/061
|
|
+++ b/tests/qemu-iotests/061
|
|
@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
|
echo
|
|
_make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M
|
|
$QEMU_IMG amend -o "data_file=foo" "$TEST_IMG"
|
|
-_img_info --format-specific
|
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
|
|
|
echo
|
|
$QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG"
|
|
-_img_info --format-specific
|
|
+$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt
|
|
+$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
|
TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts
|
|
|
|
echo
|
|
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
|
|
index 139fc68177..24c33add7c 100644
|
|
--- a/tests/qemu-iotests/061.out
|
|
+++ b/tests/qemu-iotests/061.out
|
|
@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
|
|
qemu-img: data-file can only be set for images that use an external data file
|
|
|
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
|
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory
|
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory
|
|
+read 4096/4096 bytes at offset 0
|
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
image: TEST_DIR/t.IMGFMT
|
|
file format: IMGFMT
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
@@ -560,7 +562,9 @@ Format specific information:
|
|
corrupt: false
|
|
extended l2: false
|
|
|
|
-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image
|
|
+qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image
|
|
+read 4096/4096 bytes at offset 0
|
|
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
|
image: TEST_DIR/t.IMGFMT
|
|
file format: IMGFMT
|
|
virtual size: 64 MiB (67108864 bytes)
|
|
--
|
|
2.39.3
|
|
|