diff options
| author | Keir Fraser <keir.fraser@citrix.com> | 2008-05-12 10:09:12 +0100 |
|---|---|---|
| committer | Keir Fraser <keir.fraser@citrix.com> | 2008-05-12 10:09:12 +0100 |
| commit | aa7e17e11bb354d0cda598c7e6ccff29b210eb1c (patch) | |
| tree | ea4cf6a869748450c41d1ed62bdee41d67f66275 /extras/mini-os/fbfront.c | |
| parent | 24f7da83f5458defa8ba76f0955acfbd9736656c (diff) | |
| download | xen-aa7e17e11bb354d0cda598c7e6ccff29b210eb1c.tar.gz xen-aa7e17e11bb354d0cda598c7e6ccff29b210eb1c.tar.bz2 xen-aa7e17e11bb354d0cda598c7e6ccff29b210eb1c.zip | |
ioemu: fix disk format security vulnerability
* make the xenstore reader in qemu-dm's startup determine which
of qemu's block drivers to use according to the xenstore
backend `type' field. This `type' field typically comes from
the front of the drive mapping string in ioemu. The
supported cases are:
xm config file string `type' image format qemu driver
phy:[/dev/]<device> phy raw image bdrv_raw
file:<filename> file raw image bdrv_raw
tap:aio:<filename> tap raw image bdrv_raw
tap:qcow:<image> tap not raw autoprobe
tap:<cow-fmt>:<image> tap named format bdrv_<cow-fmt>
It is still necessary to autoprobe when the image is specified as
`tap:qcow:<image>', because qemu distinguishes `qcow' and `qcow2'
whereas blktap doesn't; `qcow' in xenstore typically means what
qemu calls qcow2. This is OK because qemu can safely distinguish
the different cow formats provided we know it's not a raw image.
* Make the format autoprobing machinery never return `raw'. This has
two purposes: firstly, it arranges that the `tap:qcow:...' case
above can be handled without accidentally falling back to raw
format. Secondly it prevents accidents in case the code changes in
future: autoprobing will now always fail on supposed cow files which
actually contain junk, rather than giving the guest access to the
underlying file.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Diffstat (limited to 'extras/mini-os/fbfront.c')
0 files changed, 0 insertions, 0 deletions