333 lines
15 KiB
Diff
333 lines
15 KiB
Diff
|
From: "Jose R. Ziviani" <jziviani@suse.de>
|
||
|
Date: Thu, 2 Sep 2021 16:13:08 -0300
|
||
|
Subject: Revert "qemu-img: Require -F with -b backing image"
|
||
|
|
||
|
This reverts commit 497a30dbb065937d67f6c43af6dd78492e1d6f6d.
|
||
|
References: bsc#1190135
|
||
|
|
||
|
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
|
||
|
---
|
||
|
block.c | 37 +++++++++++++++++++++++----------
|
||
|
docs/about/deprecated.rst | 20 ++++++++++++++++++
|
||
|
docs/about/removed-features.rst | 19 -----------------
|
||
|
qemu-img.c | 6 ++----
|
||
|
tests/qemu-iotests/040 | 4 ++--
|
||
|
tests/qemu-iotests/041 | 6 ++----
|
||
|
tests/qemu-iotests/114 | 18 ++++++++--------
|
||
|
tests/qemu-iotests/114.out | 11 ++++++----
|
||
|
tests/qemu-iotests/301 | 4 +++-
|
||
|
tests/qemu-iotests/301.out | 16 ++++++++++++--
|
||
|
10 files changed, 85 insertions(+), 56 deletions(-)
|
||
|
|
||
|
diff --git a/block.c b/block.c
|
||
|
index e97ce0b1c83eb68db8abccfe9086..06f5ff49ee79ab5d423008ecc20e 100644
|
||
|
--- a/block.c
|
||
|
+++ b/block.c
|
||
|
@@ -5119,7 +5119,7 @@ int coroutine_fn bdrv_co_check(BlockDriverState *bs,
|
||
|
* -ENOTSUP - format driver doesn't support changing the backing file
|
||
|
*/
|
||
|
int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
|
||
|
- const char *backing_fmt, bool require)
|
||
|
+ const char *backing_fmt, bool warn)
|
||
|
{
|
||
|
BlockDriver *drv = bs->drv;
|
||
|
int ret;
|
||
|
@@ -5133,8 +5133,10 @@ int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
|
||
|
return -EINVAL;
|
||
|
}
|
||
|
|
||
|
- if (require && backing_file && !backing_fmt) {
|
||
|
- return -EINVAL;
|
||
|
+ if (warn && backing_file && !backing_fmt) {
|
||
|
+ warn_report("Deprecated use of backing file without explicit "
|
||
|
+ "backing format, use of this image requires "
|
||
|
+ "potentially unsafe format probing");
|
||
|
}
|
||
|
|
||
|
if (drv->bdrv_change_backing_file != NULL) {
|
||
|
@@ -6647,11 +6649,24 @@ void bdrv_img_create(const char *filename, const char *fmt,
|
||
|
goto out;
|
||
|
} else {
|
||
|
if (!backing_fmt) {
|
||
|
- error_setg(&local_err,
|
||
|
- "Backing file specified without backing format");
|
||
|
- error_append_hint(&local_err, "Detected format of %s.",
|
||
|
- bs->drv->format_name);
|
||
|
- goto out;
|
||
|
+ warn_report("Deprecated use of backing file without explicit "
|
||
|
+ "backing format (detected format of %s)",
|
||
|
+ bs->drv->format_name);
|
||
|
+ if (bs->drv != &bdrv_raw) {
|
||
|
+ /*
|
||
|
+ * A probe of raw deserves the most attention:
|
||
|
+ * leaving the backing format out of the image
|
||
|
+ * will ensure bs->probed is set (ensuring we
|
||
|
+ * don't accidentally commit into the backing
|
||
|
+ * file), and allow more spots to warn the users
|
||
|
+ * to fix their toolchain when opening this image
|
||
|
+ * later. For other images, we can safely record
|
||
|
+ * the format that we probed.
|
||
|
+ */
|
||
|
+ backing_fmt = bs->drv->format_name;
|
||
|
+ qemu_opt_set(opts, BLOCK_OPT_BACKING_FMT, backing_fmt,
|
||
|
+ NULL);
|
||
|
+ }
|
||
|
}
|
||
|
if (size == -1) {
|
||
|
/* Opened BS, have no size */
|
||
|
@@ -6668,9 +6683,9 @@ void bdrv_img_create(const char *filename, const char *fmt,
|
||
|
}
|
||
|
/* (backing_file && !(flags & BDRV_O_NO_BACKING)) */
|
||
|
} else if (backing_file && !backing_fmt) {
|
||
|
- error_setg(&local_err,
|
||
|
- "Backing file specified without backing format");
|
||
|
- goto out;
|
||
|
+ warn_report("Deprecated use of unopened backing file without "
|
||
|
+ "explicit backing format, use of this image requires "
|
||
|
+ "potentially unsafe format probing");
|
||
|
}
|
||
|
|
||
|
if (size == -1) {
|
||
|
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
|
||
|
index 6d438f1c8d41e19c4fc976d1c7da..638f1000cbd19a72aa456104446f 100644
|
||
|
--- a/docs/about/deprecated.rst
|
||
|
+++ b/docs/about/deprecated.rst
|
||
|
@@ -300,6 +300,26 @@ this CPU is also deprecated.
|
||
|
Related binaries
|
||
|
----------------
|
||
|
|
||
|
+qemu-img backing file without format (since 5.1)
|
||
|
+''''''''''''''''''''''''''''''''''''''''''''''''
|
||
|
+
|
||
|
+The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
|
||
|
+convert`` to create or modify an image that depends on a backing file
|
||
|
+now recommends that an explicit backing format be provided. This is
|
||
|
+for safety: if QEMU probes a different format than what you thought,
|
||
|
+the data presented to the guest will be corrupt; similarly, presenting
|
||
|
+a raw image to a guest allows a potential security exploit if a future
|
||
|
+probe sees a non-raw image based on guest writes.
|
||
|
+
|
||
|
+To avoid the warning message, or even future refusal to create an
|
||
|
+unsafe image, you must pass ``-o backing_fmt=`` (or the shorthand
|
||
|
+``-F`` during create) to specify the intended backing format. You may
|
||
|
+use ``qemu-img rebase -u`` to retroactively add a backing format to an
|
||
|
+existing image. However, be aware that there are already potential
|
||
|
+security risks to blindly using ``qemu-img info`` to probe the format
|
||
|
+of an untrusted backing image, when deciding what format to add into
|
||
|
+an existing image.
|
||
|
+
|
||
|
Backwards compatibility
|
||
|
-----------------------
|
||
|
|
||
|
diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
|
||
|
index cbfa1a8e31a69200c2bb97ddffb1..afadc8f7e0fc4e2377ee85d6166c 100644
|
||
|
--- a/docs/about/removed-features.rst
|
||
|
+++ b/docs/about/removed-features.rst
|
||
|
@@ -678,25 +678,6 @@ backing chain should be performed with ``qemu-img rebase -u`` either
|
||
|
before or after the remaining changes being performed by amend, as
|
||
|
appropriate.
|
||
|
|
||
|
-qemu-img backing file without format (removed in 6.1)
|
||
|
-'''''''''''''''''''''''''''''''''''''''''''''''''''''
|
||
|
-
|
||
|
-The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
|
||
|
-convert`` to create or modify an image that depends on a backing file
|
||
|
-now requires that an explicit backing format be provided. This is
|
||
|
-for safety: if QEMU probes a different format than what you thought,
|
||
|
-the data presented to the guest will be corrupt; similarly, presenting
|
||
|
-a raw image to a guest allows a potential security exploit if a future
|
||
|
-probe sees a non-raw image based on guest writes.
|
||
|
-
|
||
|
-To avoid creating unsafe backing chains, you must pass ``-o
|
||
|
-backing_fmt=`` (or the shorthand ``-F`` during create) to specify the
|
||
|
-intended backing format. You may use ``qemu-img rebase -u`` to
|
||
|
-retroactively add a backing format to an existing image. However, be
|
||
|
-aware that there are already potential security risks to blindly using
|
||
|
-``qemu-img info`` to probe the format of an untrusted backing image,
|
||
|
-when deciding what format to add into an existing image.
|
||
|
-
|
||
|
Block devices
|
||
|
-------------
|
||
|
|
||
|
diff --git a/qemu-img.c b/qemu-img.c
|
||
|
index 3ebd09245290878c24c8f1412146..4da817857f3efccc2bd83297500b 100644
|
||
|
--- a/qemu-img.c
|
||
|
+++ b/qemu-img.c
|
||
|
@@ -2549,10 +2549,8 @@ static int img_convert(int argc, char **argv)
|
||
|
|
||
|
if (out_baseimg_param) {
|
||
|
if (!qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT)) {
|
||
|
- error_report("Use of backing file requires explicit "
|
||
|
- "backing format");
|
||
|
- ret = -1;
|
||
|
- goto out;
|
||
|
+ warn_report("Deprecated use of backing file without explicit "
|
||
|
+ "backing format");
|
||
|
}
|
||
|
}
|
||
|
|
||
|
diff --git a/tests/qemu-iotests/040 b/tests/qemu-iotests/040
|
||
|
index f3677de9dfde326ad85515ec8bfa..ba7cb34ce8cf95df6fa63f9eb8f0 100755
|
||
|
--- a/tests/qemu-iotests/040
|
||
|
+++ b/tests/qemu-iotests/040
|
||
|
@@ -920,8 +920,8 @@ class TestCommitWithOverriddenBacking(iotests.QMPTestCase):
|
||
|
def setUp(self):
|
||
|
qemu_img('create', '-f', iotests.imgfmt, self.img_base_a, '1M')
|
||
|
qemu_img('create', '-f', iotests.imgfmt, self.img_base_b, '1M')
|
||
|
- qemu_img('create', '-f', iotests.imgfmt, '-b', self.img_base_a,
|
||
|
- '-F', iotests.imgfmt, self.img_top)
|
||
|
+ qemu_img('create', '-f', iotests.imgfmt, '-b', self.img_base_a, \
|
||
|
+ self.img_top)
|
||
|
|
||
|
self.vm = iotests.VM()
|
||
|
self.vm.launch()
|
||
|
diff --git a/tests/qemu-iotests/041 b/tests/qemu-iotests/041
|
||
|
index db9f5dc540e84c597d30521d4b6c..5cc02b24fc7a8be3d28e0e9737cb 100755
|
||
|
--- a/tests/qemu-iotests/041
|
||
|
+++ b/tests/qemu-iotests/041
|
||
|
@@ -1295,10 +1295,8 @@ class TestReplaces(iotests.QMPTestCase):
|
||
|
class TestFilters(iotests.QMPTestCase):
|
||
|
def setUp(self):
|
||
|
qemu_img('create', '-f', iotests.imgfmt, backing_img, '1M')
|
||
|
- qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img,
|
||
|
- '-F', iotests.imgfmt, test_img)
|
||
|
- qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img,
|
||
|
- '-F', iotests.imgfmt, target_img)
|
||
|
+ qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img, test_img)
|
||
|
+ qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img, target_img)
|
||
|
|
||
|
qemu_io('-c', 'write -P 1 0 512k', backing_img)
|
||
|
qemu_io('-c', 'write -P 2 512k 512k', test_img)
|
||
|
diff --git a/tests/qemu-iotests/114 b/tests/qemu-iotests/114
|
||
|
index de6fd327eea9e2ef5d21fc6fbf0b..43cb0bc6c3443a809f4dcd42ecce 100755
|
||
|
--- a/tests/qemu-iotests/114
|
||
|
+++ b/tests/qemu-iotests/114
|
||
|
@@ -44,16 +44,16 @@ _supported_os Linux
|
||
|
# qcow2.py does not work too well with external data files
|
||
|
_unsupported_imgopts data_file
|
||
|
|
||
|
-# Older qemu-img could set up backing file without backing format; modern
|
||
|
-# qemu can't but we can use qcow2.py to simulate older files.
|
||
|
+# Intentionally specify backing file without backing format; demonstrate
|
||
|
+# the difference in warning messages when backing file could be probed.
|
||
|
+# Note that only a non-raw probe result will affect the resulting image.
|
||
|
truncate -s $((64 * 1024 * 1024)) "$TEST_IMG.orig"
|
||
|
-_make_test_img -b "$TEST_IMG.orig" -F raw 64M
|
||
|
-$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0xE2792ACA
|
||
|
+_make_test_img -b "$TEST_IMG.orig" 64M
|
||
|
|
||
|
TEST_IMG="$TEST_IMG.base" _make_test_img 64M
|
||
|
$QEMU_IMG convert -O qcow2 -B "$TEST_IMG.orig" "$TEST_IMG.orig" "$TEST_IMG"
|
||
|
-_make_test_img -b "$TEST_IMG.base" -F $IMGFMT 64M
|
||
|
-_make_test_img -u -b "$TEST_IMG.base" -F $IMGFMT 64M
|
||
|
+_make_test_img -b "$TEST_IMG.base" 64M
|
||
|
+_make_test_img -u -b "$TEST_IMG.base" 64M
|
||
|
|
||
|
# Set an invalid backing file format
|
||
|
$PYTHON qcow2.py "$TEST_IMG" add-header-ext 0xE2792ACA "foo"
|
||
|
@@ -64,9 +64,9 @@ _img_info
|
||
|
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
|
||
|
$QEMU_IO -c "open -o backing.driver=$IMGFMT $TEST_IMG" -c "read 0 4k" | _filter_qemu_io
|
||
|
|
||
|
-# Rebase the image, to show that backing format is required.
|
||
|
-($QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG" 2>&1 && echo "unexpected pass") | _filter_testdir
|
||
|
-$QEMU_IMG rebase -u -b "$TEST_IMG.base" -F $IMGFMT "$TEST_IMG"
|
||
|
+# Rebase the image, to show that omitting backing format triggers a warning,
|
||
|
+# but probing now lets us use the backing file.
|
||
|
+$QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG"
|
||
|
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
|
||
|
|
||
|
# success, all done
|
||
|
diff --git a/tests/qemu-iotests/114.out b/tests/qemu-iotests/114.out
|
||
|
index 6d638da266e495e8bed2fbcf919e..0a37d20c82a95d6d5ea9fc9635e7 100644
|
||
|
--- a/tests/qemu-iotests/114.out
|
||
|
+++ b/tests/qemu-iotests/114.out
|
||
|
@@ -1,9 +1,12 @@
|
||
|
QA output created by 114
|
||
|
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig backing_fmt=raw
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
|
||
|
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig
|
||
|
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=67108864
|
||
|
-qemu-img: Use of backing file requires explicit backing format
|
||
|
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
|
||
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
|
||
|
+qemu-img: warning: Deprecated use of unopened backing file without explicit backing format, use of this image requires potentially unsafe format probing
|
||
|
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base
|
||
|
image: TEST_DIR/t.IMGFMT
|
||
|
file format: IMGFMT
|
||
|
virtual size: 64 MiB (67108864 bytes)
|
||
|
@@ -14,7 +17,7 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Could not open backing file: Unknow
|
||
|
no file open, try 'help open'
|
||
|
read 4096/4096 bytes at offset 0
|
||
|
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||
|
-qemu-img: Could not change the backing file to 'TEST_DIR/t.qcow2.base': Invalid argument
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format, use of this image requires potentially unsafe format probing
|
||
|
read 4096/4096 bytes at offset 0
|
||
|
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
|
||
|
*** done
|
||
|
diff --git a/tests/qemu-iotests/301 b/tests/qemu-iotests/301
|
||
|
index 220de1043fa5dcad8f8563a452c1..9f943cadbe24413c7f453101a6a9 100755
|
||
|
--- a/tests/qemu-iotests/301
|
||
|
+++ b/tests/qemu-iotests/301
|
||
|
@@ -3,7 +3,7 @@
|
||
|
#
|
||
|
# Test qcow backing file warnings
|
||
|
#
|
||
|
-# Copyright (C) 2020-2021 Red Hat, Inc.
|
||
|
+# Copyright (C) 2020 Red Hat, Inc.
|
||
|
#
|
||
|
# This program is free software; you can redistribute it and/or modify
|
||
|
# it under the terms of the GNU General Public License as published by
|
||
|
@@ -46,6 +46,7 @@ echo "== qcow backed by qcow =="
|
||
|
|
||
|
TEST_IMG="$TEST_IMG.base" _make_test_img $size
|
||
|
_make_test_img -b "$TEST_IMG.base" $size
|
||
|
+_img_info
|
||
|
_make_test_img -b "$TEST_IMG.base" -F $IMGFMT $size
|
||
|
_img_info
|
||
|
|
||
|
@@ -70,6 +71,7 @@ echo "== qcow backed by raw =="
|
||
|
rm "$TEST_IMG.base"
|
||
|
truncate --size=$size "$TEST_IMG.base"
|
||
|
_make_test_img -b "$TEST_IMG.base" $size
|
||
|
+_img_info
|
||
|
_make_test_img -b "$TEST_IMG.base" -F raw $size
|
||
|
_img_info
|
||
|
|
||
|
diff --git a/tests/qemu-iotests/301.out b/tests/qemu-iotests/301.out
|
||
|
index e280658191e1eba861b821fafa35..9004dad6392f4a0ec685fb4a80d1 100644
|
||
|
--- a/tests/qemu-iotests/301.out
|
||
|
+++ b/tests/qemu-iotests/301.out
|
||
|
@@ -2,7 +2,13 @@ QA output created by 301
|
||
|
|
||
|
== qcow backed by qcow ==
|
||
|
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=33554432
|
||
|
-qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
|
||
|
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
|
||
|
+image: TEST_DIR/t.IMGFMT
|
||
|
+file format: IMGFMT
|
||
|
+virtual size: 32 MiB (33554432 bytes)
|
||
|
+cluster_size: 512
|
||
|
+backing file: TEST_DIR/t.IMGFMT.base
|
||
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
|
||
|
image: TEST_DIR/t.IMGFMT
|
||
|
file format: IMGFMT
|
||
|
@@ -30,7 +36,13 @@ cluster_size: 512
|
||
|
backing file: TEST_DIR/t.IMGFMT.base
|
||
|
|
||
|
== qcow backed by raw ==
|
||
|
-qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
|
||
|
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
|
||
|
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base
|
||
|
+image: TEST_DIR/t.IMGFMT
|
||
|
+file format: IMGFMT
|
||
|
+virtual size: 32 MiB (33554432 bytes)
|
||
|
+cluster_size: 512
|
||
|
+backing file: TEST_DIR/t.IMGFMT.base
|
||
|
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=raw
|
||
|
image: TEST_DIR/t.IMGFMT
|
||
|
file format: IMGFMT
|