Revision tags: v9.2.0, v9.1.2, v9.1.1, v9.1.0 |
|
#
727f4a78 |
| 03-Jul-2024 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging
Block layer patches (CVE-2024-4467)
- Don't open qcow2 data files in 'qemu-img info' - Disallow protocol prefixes for qcow2 da
Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging
Block layer patches (CVE-2024-4467)
- Don't open qcow2 data files in 'qemu-img info' - Disallow protocol prefixes for qcow2 data files, VMDK extent files and other child nodes that are neither 'file' nor 'backing'
# -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmaEKQwRHGt3b2xmQHJl # ZGhhdC5jb20ACgkQfwmycsiPL9YgMA/+OeQf0veFb02ZNqf907Etz8/DvnqbiWUN # 0aT5z5x8ilZQIiEDbFtLKgF3A/WO7phyCKk1q1dbRNbc1ZaWFW7mTaJM2ew++EuB # fq0mnskLt/GVSqTReO4od7flsssp3sEDxs74yuyNITIUqui4we9WK2lLRiAv3aco # 2NbyNeMHJxIW+QlOO3R62i24yjQaLyg/YekmiIK8itQkpKuI80fiVgor5W3RR0P0 # 71AVSHC0Edv5eavmiRqmQ+pfSI8tlINsN1s5jvxge6XpVTaL8NHsgH3LVv1R3Qtx # Uo9hp6lQboAfc4I06gf+fcsYSBRiGCwA/J+JsWusX4FLaaTNHLt5eJAEJhfZlioj # wgTqpy2ImRu5lcuLjLWRu4cLapPLI6CSwf4/lG9/szmRA/1UtOKpquKeTuCwMl9Y # XEVoNDzo7GpfSb7YONo7fU7kq00OuEEAn0he7eNd2UU+Ao9Abi7JvY+fKx71FHo3 # k24SQVhVJihV1IEC4psCtaQm2bB/jdMr0jB44zHLtmqeUMLrrVf64cSAntp+2KRa # sINBXA5OeblGKQ7FoAzc5NNNveSdF1ioRCvKB3MlHzI+efzRS7+I3wwh2Uz1Uwfo # sivg+dAXQQBKVXn8UbfznFyEKueT0RW5CUbfeEqGQ/ocw7iTrXABsX+tjcktxl8Q # zrHZNoAz6Ds= # =7LWn # -----END PGP SIGNATURE----- # gpg: Signature made Tue 02 Jul 2024 09:21:32 AM PDT # gpg: using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6 # gpg: issuer "kwolf@redhat.com" # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
* tag 'for-upstream' of https://repo.or.cz/qemu/kevin: block: Parse filenames only when explicitly requested iotests/270: Don't store data-file with json: prefix in image iotests/244: Don't store data-file with protocol in image qcow2: Don't open data_file with BDRV_O_NO_IO
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
#
7e111066 |
| 25-Apr-2024 |
Kevin Wolf <kwolf@redhat.com> |
iotests/270: Don't store data-file with json: prefix in image
We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the
iotests/270: Don't store data-file with json: prefix in image
We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options.
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
show more ...
|
Revision tags: v8.0.0, v7.2.0, v7.0.0, v6.2.0, v6.1.0 |
|
#
fef80ea0 |
| 21-Jan-2021 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-01-20' into staging
nbd patches for 2021-01-20
- minor resource leak fixes in qemu-nbd - ensure proper aio context when nbd server use
Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-01-20' into staging
nbd patches for 2021-01-20
- minor resource leak fixes in qemu-nbd - ensure proper aio context when nbd server uses iothreads - iotest refactorings in preparation for rewriting ./check to be more flexible, and preparing for more nbd server reconnect features
# gpg: Signature made Thu 21 Jan 2021 02:28:19 GMT # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full] # gpg: aka "[jpeg image of size 6874]" [full] # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A
* remotes/ericb/tags/pull-nbd-2021-01-20: iotests.py: qemu_io(): reuse qemu_tool_pipe_and_status() iotests.py: fix qemu_tool_pipe_and_status() iotests/264: fix style iotests: define group in each iotest iotests/294: add shebang line iotests: make tests executable iotests: fix some whitespaces in test output files iotests/303: use dot slash for qcow2.py running iotests/277: use dot slash for nbd-fault-injector.py running nbd/server: Quiesce coroutines on context switch block: Honor blk_set_aio_context() context requirements qemu-nbd: Fix a memleak in nbd_client_thread() qemu-nbd: Fix a memleak in qemu_nbd_client_list()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
9dd003a9 |
| 16-Jan-2021 |
Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> |
iotests: define group in each iotest
We are going to drop group file. Define group in tests as a preparatory step.
The patch is generated by
cd tests/qemu-iotests
grep '^[0-9]\{3\} ' grou
iotests: define group in each iotest
We are going to drop group file. Define group in tests as a preparatory step.
The patch is generated by
cd tests/qemu-iotests
grep '^[0-9]\{3\} ' group | while read line; do file=$(awk '{print $1}' <<< "$line"); groups=$(sed -e 's/^... //' <<< "$line"); awk "NR==2{print \"# group: $groups\"}1" $file > tmp; cat tmp > $file; done
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <20210116134424.82867-7-vsementsov@virtuozzo.com> Signed-off-by: Eric Blake <eblake@redhat.com>
show more ...
|
Revision tags: v5.2.0 |
|
#
d2628b1e |
| 14-Jul-2020 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- file-posix: Mitigate file fragmentation with extent size hints - Tighten qemu-img rules on missing
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- file-posix: Mitigate file fragmentation with extent size hints - Tighten qemu-img rules on missing backing format - qemu-img map: Don't limit block status request size - Fix crash with virtio-scsi and iothreads
# gpg: Signature made Tue 14 Jul 2020 14:24:19 BST # gpg: using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6 # gpg: issuer "kwolf@redhat.com" # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full] # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream: block: Avoid stale pointer dereference in blk_get_aio_context() qemu-img: Deprecate use of -b without -F block: Add support to warn on backing file change without format iotests: Specify explicit backing format where sensible qcow2: Deprecate use of qemu-img amend to change backing file block: Error if backing file fails during creation without -u qcow: Tolerate backing_fmt= vmdk: Add trivial backing_fmt support sheepdog: Add trivial backing_fmt support block: Finish deprecation of 'qemu-img convert -n -o' qemu-img: Flush stdout before before potential stderr messages file-posix: Mitigate file fragmentation with extent size hints iotests/059: Filter out disk size with more standard filter qemu-img map: Don't limit block status request size iotests: Simplify _filter_img_create() a bit
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
b66ff2c2 |
| 06-Jul-2020 |
Eric Blake <eblake@redhat.com> |
iotests: Specify explicit backing format where sensible
There are many existing qcow2 images that specify a backing file but no format. This has been the source of CVEs in the past, but has become
iotests: Specify explicit backing format where sensible
There are many existing qcow2 images that specify a backing file but no format. This has been the source of CVEs in the past, but has become more prominent of a problem now that libvirt has switched to -blockdev. With older -drive, at least the probing was always done by qemu (so the only risk of a changed format between successive boots of a guest was if qemu was upgraded and probed differently). But with newer -blockdev, libvirt must specify a format; if libvirt guesses raw where the image was formatted, this results in data corruption visible to the guest; conversely, if libvirt guesses qcow2 where qemu was using raw, this can result in potential security holes, so modern libvirt instead refuses to use images without explicit backing format.
The change in libvirt to reject images without explicit backing format has pointed out that a number of tools have been far too reliant on probing in the past. It's time to set a better example in our own iotests of properly setting this parameter.
iotest calls to create, rebase, and convert are all impacted to some degree. It's a bit annoying that we are inconsistent on command line - while all of those accept -o backing_file=...,backing_fmt=..., the shortcuts are different: create and rebase have -b and -F, while convert has -B but no -F. (amend has no shortcuts, but the previous patch just deprecated the use of amend to change backing chains).
Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20200706203954.341758-9-eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
Revision tags: v5.0.0, v4.2.0 |
|
#
3af78db6 |
| 15-Oct-2019 |
Peter Maydell <peter.maydell@linaro.org> |
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- block: Fix crash with qcow2 partial cluster COW with small cluster sizes (misaligned write reque
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Block layer patches:
- block: Fix crash with qcow2 partial cluster COW with small cluster sizes (misaligned write requests with BDRV_REQ_NO_FALLBACK) - qcow2: Fix integer overflow potentially causing corruption with huge requests - vhdx: Detect truncated image files - tools: Support help options for --object - Various block-related replay improvements - iotests/028: Fix for long $TEST_DIRs
# gpg: Signature made Mon 14 Oct 2019 17:02:54 BST # gpg: using RSA key 7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full] # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* remotes/kevin/tags/for-upstream: iotests: Test large write request to qcow2 file qcow2: Limit total allocation range to INT_MAX qemu-nbd: Support help options for --object qemu-img: Support help options for --object qemu-io: Support help options for --object vl: Split off user_creatable_print_help() iotests/028: Fix for long $TEST_DIRs block: Reject misaligned write requests with BDRV_REQ_NO_FALLBACK replay: add BH oneshot event for block layer replay: finish record/replay before closing the disks replay: don't drain/flush bdrv queue while RR is working replay: update docs for record/replay with block devices replay: disable default snapshot for record/replay block: implement bdrv_snapshot_goto for blkreplay block/vhdx: add check for truncated image files
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
show more ...
|
#
a1406a92 |
| 10-Oct-2019 |
Max Reitz <mreitz@redhat.com> |
iotests: Test large write request to qcow2 file
Without HEAD^, the following happens when you attempt a large write request to a qcow2 file such that the number of bytes covered by all clusters invo
iotests: Test large write request to qcow2 file
Without HEAD^, the following happens when you attempt a large write request to a qcow2 file such that the number of bytes covered by all clusters involved in a single allocation will exceed INT_MAX:
(A) handle_alloc_space() decides to fill the whole area with zeroes and fails because bdrv_co_pwrite_zeroes() fails (the request is too large).
(B) If handle_alloc_space() does not do anything, but merge_cow() decides that the requests can be merged, it will create a too long IOV that later cannot be written.
(C) Otherwise, all parts will be written separately, so those requests will work.
In either B or C, though, qcow2_alloc_cluster_link_l2() will have an overflow: We use an int (i) to iterate over nb_clusters, and then calculate the L2 entry based on "i << s->cluster_bits" -- which will overflow if the range covers more than INT_MAX bytes. This then leads to image corruption because the L2 entry will be wrong (it will be recognized as a compressed cluster).
Even if that were not the case, the .cow_end area would be empty (because handle_alloc() will cap avail_bytes and nb_bytes at INT_MAX, so their difference (which is the .cow_end size) will be 0).
So this test checks that on such large requests, the image will not be corrupted. Unfortunately, we cannot check whether COW will be handled correctly, because that data is discarded when it is written to null-co (but we have to use null-co, because writing 2 GB of data in a test is not quite reasonable).
Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|