pool/qemu
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 917177 from home:jziviani:branches:Virtualization

Browse Source 
- Keep qemu-img without backing format still deprecated
  (bsc#1190135)
* Patches added:
  Revert-qemu-img-Improve-error-for-rebase.patch
  Revert-qemu-img-Require-F-with-b-backing.patch
- Update the support files to reflect the deprecation.

OBS-URL: https://build.opensuse.org/request/show/917177
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=669
This commit is contained in:
José Ricardo Ziviani 2021-09-06 22:19:57 +00:00 committed by Git OBS Bridge
parent 10c95bc3e4
commit ad2ff78115
8 changed files with 400 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Revert-qemu-img-Improve-error-for-rebase.patch Normal file
View File

@ -0,0 +1,40 @@
From: "Jose R. Ziviani" <jziviani@suse.de>
Date: Thu, 2 Sep 2021 16:06:20 -0300
Subject: Revert "qemu-img: Improve error for rebase without backing format"
This reverts commit a7cd44bef3d9380181734a93977c3d1df3eef2cf.
References: bsc#1190135
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
qemu-img.c | 3 ---
tests/qemu-iotests/114.out | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/qemu-img.c b/qemu-img.c
index 908fd0cce5b4fc90a4798ea4a1c4..3ebd09245290878c24c8f1412146 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -3810,9 +3810,6 @@ static int img_rebase(int argc, char **argv)
if (ret == -ENOSPC) {
error_report("Could not change the backing file to '%s': No "
"space left in the file header", out_baseimg);
- } else if (ret == -EINVAL && out_baseimg && !out_basefmt) {
- error_report("Could not change the backing file to '%s': backing "
- "format must be specified", out_baseimg);
} else if (ret < 0) {
error_report("Could not change the backing file to '%s': %s",
out_baseimg, strerror(-ret));
diff --git a/tests/qemu-iotests/114.out b/tests/qemu-iotests/114.out
index f51dd9d20a1038c54d7d6e073b5e..6d638da266e495e8bed2fbcf919e 100644
--- a/tests/qemu-iotests/114.out
+++ b/tests/qemu-iotests/114.out
@@ -14,7 +14,7 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Could not open backing file: Unknow
no file open, try 'help open'
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-qemu-img: Could not change the backing file to 'TEST_DIR/t.qcow2.base': backing format must be specified
+qemu-img: Could not change the backing file to 'TEST_DIR/t.qcow2.base': Invalid argument
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
*** done

332
Revert-qemu-img-Require-F-with-b-backing.patch Normal file
View File

@ -0,0 +1,332 @@
From: "Jose R. Ziviani" <jziviani@suse.de>
Date: Thu, 2 Sep 2021 16:13:08 -0300
Subject: Revert "qemu-img: Require -F with -b backing image"
This reverts commit 497a30dbb065937d67f6c43af6dd78492e1d6f6d.
References: bsc#1190135
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
block.c | 37 +++++++++++++++++++++++----------
docs/about/deprecated.rst | 20 ++++++++++++++++++
docs/about/removed-features.rst | 19 -----------------
qemu-img.c | 6 ++----
tests/qemu-iotests/040 | 4 ++--
tests/qemu-iotests/041 | 6 ++----
tests/qemu-iotests/114 | 18 ++++++++--------
tests/qemu-iotests/114.out | 11 ++++++----
tests/qemu-iotests/301 | 4 +++-
tests/qemu-iotests/301.out | 16 ++++++++++++--
10 files changed, 85 insertions(+), 56 deletions(-)
diff --git a/block.c b/block.c
index e97ce0b1c83eb68db8abccfe9086..06f5ff49ee79ab5d423008ecc20e 100644
--- a/block.c
+++ b/block.c
@@ -5119,7 +5119,7 @@ int coroutine_fn bdrv_co_check(BlockDriverState *bs,
* -ENOTSUP - format driver doesn't support changing the backing file
*/
int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
- const char *backing_fmt, bool require)
+ const char *backing_fmt, bool warn)
{
BlockDriver *drv = bs->drv;
int ret;
@@ -5133,8 +5133,10 @@ int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
return -EINVAL;
}
- if (require && backing_file && !backing_fmt) {
- return -EINVAL;
+ if (warn && backing_file && !backing_fmt) {
+ warn_report("Deprecated use of backing file without explicit "
+ "backing format, use of this image requires "
+ "potentially unsafe format probing");
}
if (drv->bdrv_change_backing_file != NULL) {
@@ -6647,11 +6649,24 @@ void bdrv_img_create(const char *filename, const char *fmt,
goto out;
} else {
if (!backing_fmt) {
- error_setg(&local_err,
- "Backing file specified without backing format");
- error_append_hint(&local_err, "Detected format of %s.",
- bs->drv->format_name);
- goto out;
+ warn_report("Deprecated use of backing file without explicit "
+ "backing format (detected format of %s)",
+ bs->drv->format_name);
+ if (bs->drv != &bdrv_raw) {
+ /*
+ * A probe of raw deserves the most attention:
+ * leaving the backing format out of the image
+ * will ensure bs->probed is set (ensuring we
+ * don't accidentally commit into the backing
+ * file), and allow more spots to warn the users
+ * to fix their toolchain when opening this image
+ * later. For other images, we can safely record
+ * the format that we probed.
+ */
+ backing_fmt = bs->drv->format_name;
+ qemu_opt_set(opts, BLOCK_OPT_BACKING_FMT, backing_fmt,
+ NULL);
+ }
}
if (size == -1) {
/* Opened BS, have no size */
@@ -6668,9 +6683,9 @@ void bdrv_img_create(const char *filename, const char *fmt,
}
/* (backing_file && !(flags & BDRV_O_NO_BACKING)) */
} else if (backing_file && !backing_fmt) {
- error_setg(&local_err,
- "Backing file specified without backing format");
- goto out;
+ warn_report("Deprecated use of unopened backing file without "
+ "explicit backing format, use of this image requires "
+ "potentially unsafe format probing");
}
if (size == -1) {
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 6d438f1c8d41e19c4fc976d1c7da..638f1000cbd19a72aa456104446f 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -300,6 +300,26 @@ this CPU is also deprecated.
Related binaries
----------------
+qemu-img backing file without format (since 5.1)
+''''''''''''''''''''''''''''''''''''''''''''''''
+
+The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
+convert`` to create or modify an image that depends on a backing file
+now recommends that an explicit backing format be provided. This is
+for safety: if QEMU probes a different format than what you thought,
+the data presented to the guest will be corrupt; similarly, presenting
+a raw image to a guest allows a potential security exploit if a future
+probe sees a non-raw image based on guest writes.
+
+To avoid the warning message, or even future refusal to create an
+unsafe image, you must pass ``-o backing_fmt=`` (or the shorthand
+``-F`` during create) to specify the intended backing format. You may
+use ``qemu-img rebase -u`` to retroactively add a backing format to an
+existing image. However, be aware that there are already potential
+security risks to blindly using ``qemu-img info`` to probe the format
+of an untrusted backing image, when deciding what format to add into
+an existing image.
+
Backwards compatibility
-----------------------
diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
index cbfa1a8e31a69200c2bb97ddffb1..afadc8f7e0fc4e2377ee85d6166c 100644
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@@ -678,25 +678,6 @@ backing chain should be performed with ``qemu-img rebase -u`` either
before or after the remaining changes being performed by amend, as
appropriate.
-qemu-img backing file without format (removed in 6.1)
-'''''''''''''''''''''''''''''''''''''''''''''''''''''
-
-The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
-convert`` to create or modify an image that depends on a backing file
-now requires that an explicit backing format be provided. This is
-for safety: if QEMU probes a different format than what you thought,
-the data presented to the guest will be corrupt; similarly, presenting
-a raw image to a guest allows a potential security exploit if a future
-probe sees a non-raw image based on guest writes.
-
-To avoid creating unsafe backing chains, you must pass ``-o
-backing_fmt=`` (or the shorthand ``-F`` during create) to specify the
-intended backing format. You may use ``qemu-img rebase -u`` to
-retroactively add a backing format to an existing image. However, be
-aware that there are already potential security risks to blindly using
-``qemu-img info`` to probe the format of an untrusted backing image,
-when deciding what format to add into an existing image.
-
Block devices
-------------
diff --git a/qemu-img.c b/qemu-img.c
index 3ebd09245290878c24c8f1412146..4da817857f3efccc2bd83297500b 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -2549,10 +2549,8 @@ static int img_convert(int argc, char **argv)
if (out_baseimg_param) {
if (!qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT)) {
- error_report("Use of backing file requires explicit "
- "backing format");
- ret = -1;
- goto out;
+ warn_report("Deprecated use of backing file without explicit "
+ "backing format");
}
}
diff --git a/tests/qemu-iotests/040 b/tests/qemu-iotests/040
index f3677de9dfde326ad85515ec8bfa..ba7cb34ce8cf95df6fa63f9eb8f0 100755
--- a/tests/qemu-iotests/040
+++ b/tests/qemu-iotests/040
@@ -920,8 +920,8 @@ class TestCommitWithOverriddenBacking(iotests.QMPTestCase):
def setUp(self):
qemu_img('create', '-f', iotests.imgfmt, self.img_base_a, '1M')
qemu_img('create', '-f', iotests.imgfmt, self.img_base_b, '1M')
- qemu_img('create', '-f', iotests.imgfmt, '-b', self.img_base_a,
- '-F', iotests.imgfmt, self.img_top)
+ qemu_img('create', '-f', iotests.imgfmt, '-b', self.img_base_a, \
+ self.img_top)
self.vm = iotests.VM()
self.vm.launch()
diff --git a/tests/qemu-iotests/041 b/tests/qemu-iotests/041
index db9f5dc540e84c597d30521d4b6c..5cc02b24fc7a8be3d28e0e9737cb 100755
--- a/tests/qemu-iotests/041
+++ b/tests/qemu-iotests/041
@@ -1295,10 +1295,8 @@ class TestReplaces(iotests.QMPTestCase):
class TestFilters(iotests.QMPTestCase):
def setUp(self):
qemu_img('create', '-f', iotests.imgfmt, backing_img, '1M')
- qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img,
- '-F', iotests.imgfmt, test_img)
- qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img,
- '-F', iotests.imgfmt, target_img)
+ qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img, test_img)
+ qemu_img('create', '-f', iotests.imgfmt, '-b', backing_img, target_img)
qemu_io('-c', 'write -P 1 0 512k', backing_img)
qemu_io('-c', 'write -P 2 512k 512k', test_img)
diff --git a/tests/qemu-iotests/114 b/tests/qemu-iotests/114
index de6fd327eea9e2ef5d21fc6fbf0b..43cb0bc6c3443a809f4dcd42ecce 100755
--- a/tests/qemu-iotests/114
+++ b/tests/qemu-iotests/114
@@ -44,16 +44,16 @@ _supported_os Linux
# qcow2.py does not work too well with external data files
_unsupported_imgopts data_file
-# Older qemu-img could set up backing file without backing format; modern
-# qemu can't but we can use qcow2.py to simulate older files.
+# Intentionally specify backing file without backing format; demonstrate
+# the difference in warning messages when backing file could be probed.
+# Note that only a non-raw probe result will affect the resulting image.
truncate -s $((64 * 1024 * 1024)) "$TEST_IMG.orig"
-_make_test_img -b "$TEST_IMG.orig" -F raw 64M
-$PYTHON qcow2.py "$TEST_IMG" del-header-ext 0xE2792ACA
+_make_test_img -b "$TEST_IMG.orig" 64M
TEST_IMG="$TEST_IMG.base" _make_test_img 64M
$QEMU_IMG convert -O qcow2 -B "$TEST_IMG.orig" "$TEST_IMG.orig" "$TEST_IMG"
-_make_test_img -b "$TEST_IMG.base" -F $IMGFMT 64M
-_make_test_img -u -b "$TEST_IMG.base" -F $IMGFMT 64M
+_make_test_img -b "$TEST_IMG.base" 64M
+_make_test_img -u -b "$TEST_IMG.base" 64M
# Set an invalid backing file format
$PYTHON qcow2.py "$TEST_IMG" add-header-ext 0xE2792ACA "foo"
@@ -64,9 +64,9 @@ _img_info
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
$QEMU_IO -c "open -o backing.driver=$IMGFMT $TEST_IMG" -c "read 0 4k" | _filter_qemu_io
-# Rebase the image, to show that backing format is required.
-($QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG" 2>&1 && echo "unexpected pass") | _filter_testdir
-$QEMU_IMG rebase -u -b "$TEST_IMG.base" -F $IMGFMT "$TEST_IMG"
+# Rebase the image, to show that omitting backing format triggers a warning,
+# but probing now lets us use the backing file.
+$QEMU_IMG rebase -u -b "$TEST_IMG.base" "$TEST_IMG"
$QEMU_IO -c "open $TEST_IMG" -c "read 0 4k" 2>&1 | _filter_qemu_io | _filter_testdir
# success, all done
diff --git a/tests/qemu-iotests/114.out b/tests/qemu-iotests/114.out
index 6d638da266e495e8bed2fbcf919e..0a37d20c82a95d6d5ea9fc9635e7 100644
--- a/tests/qemu-iotests/114.out
+++ b/tests/qemu-iotests/114.out
@@ -1,9 +1,12 @@
QA output created by 114
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig backing_fmt=raw
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.orig
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=67108864
-qemu-img: Use of backing file requires explicit backing format
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
+qemu-img: warning: Deprecated use of backing file without explicit backing format
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
+qemu-img: warning: Deprecated use of unopened backing file without explicit backing format, use of this image requires potentially unsafe format probing
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t.IMGFMT.base
image: TEST_DIR/t.IMGFMT
file format: IMGFMT
virtual size: 64 MiB (67108864 bytes)
@@ -14,7 +17,7 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Could not open backing file: Unknow
no file open, try 'help open'
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-qemu-img: Could not change the backing file to 'TEST_DIR/t.qcow2.base': Invalid argument
+qemu-img: warning: Deprecated use of backing file without explicit backing format, use of this image requires potentially unsafe format probing
read 4096/4096 bytes at offset 0
4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
*** done
diff --git a/tests/qemu-iotests/301 b/tests/qemu-iotests/301
index 220de1043fa5dcad8f8563a452c1..9f943cadbe24413c7f453101a6a9 100755
--- a/tests/qemu-iotests/301
+++ b/tests/qemu-iotests/301
@@ -3,7 +3,7 @@
#
# Test qcow backing file warnings
#
-# Copyright (C) 2020-2021 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -46,6 +46,7 @@ echo "== qcow backed by qcow =="
TEST_IMG="$TEST_IMG.base" _make_test_img $size
_make_test_img -b "$TEST_IMG.base" $size
+_img_info
_make_test_img -b "$TEST_IMG.base" -F $IMGFMT $size
_img_info
@@ -70,6 +71,7 @@ echo "== qcow backed by raw =="
rm "$TEST_IMG.base"
truncate --size=$size "$TEST_IMG.base"
_make_test_img -b "$TEST_IMG.base" $size
+_img_info
_make_test_img -b "$TEST_IMG.base" -F raw $size
_img_info
diff --git a/tests/qemu-iotests/301.out b/tests/qemu-iotests/301.out
index e280658191e1eba861b821fafa35..9004dad6392f4a0ec685fb4a80d1 100644
--- a/tests/qemu-iotests/301.out
+++ b/tests/qemu-iotests/301.out
@@ -2,7 +2,13 @@ QA output created by 301
== qcow backed by qcow ==
Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=33554432
-qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of IMGFMT)
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
+image: TEST_DIR/t.IMGFMT
+file format: IMGFMT
+virtual size: 32 MiB (33554432 bytes)
+cluster_size: 512
+backing file: TEST_DIR/t.IMGFMT.base
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=IMGFMT
image: TEST_DIR/t.IMGFMT
file format: IMGFMT
@@ -30,7 +36,13 @@ cluster_size: 512
backing file: TEST_DIR/t.IMGFMT.base
== qcow backed by raw ==
-qemu-img: TEST_DIR/t.IMGFMT: Backing file specified without backing format
+qemu-img: warning: Deprecated use of backing file without explicit backing format (detected format of raw)
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base
+image: TEST_DIR/t.IMGFMT
+file format: IMGFMT
+virtual size: 32 MiB (33554432 bytes)
+cluster_size: 512
+backing file: TEST_DIR/t.IMGFMT.base
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=raw
image: TEST_DIR/t.IMGFMT
file format: IMGFMT

4
bundles.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6c7cd08fed3f27504bf167bf5e157f1368c41b7d0882b42d3d0c0c53794a4029
size 33996
oid sha256:e1267f7401e278289c62e2e2a84617e3b89a9ce1ca6d96391adf116e2ab96c8e
size 40764

10
qemu.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Thu Sep 2 19:17:19 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
- Keep qemu-img without backing format still deprecated
(bsc#1190135)
* Patches added:
Revert-qemu-img-Improve-error-for-rebase.patch
Revert-qemu-img-Require-F-with-b-backing.patch
- Update the support files to reflect the deprecation.
-------------------------------------------------------------------
Tue Aug 31 12:34:39 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>

4
qemu.spec
View File

@ -177,6 +177,8 @@ Patch00041: usb-Help-compiler-out-to-avoid-a-warning.patch
Patch00042: qom-handle-case-of-chardev-spice-module-.patch
Patch00043: doc-add-our-support-doc-to-the-main-proj.patch
Patch00044: qemu-binfmt-conf.sh-allow-overriding-SUS.patch
Patch00045: Revert-qemu-img-Improve-error-for-rebase.patch
Patch00046: Revert-qemu-img-Require-F-with-b-backing.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1112,6 +1114,8 @@ This package records qemu testsuite results and represents successful testing.
%patch00043 -p1
%endif
%patch00044 -p1
%patch00045 -p1
%patch00046 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1

4
supported.arm.txt
View File

@ -152,6 +152,10 @@ Deprecated, Superseded, Modified and Dropped Features
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- qemu-img: Deprecate use of -b without -F. Creating an image that requires
format probing of the backing image is potentially unsafe and is now
deprecated.
- Aspeed swift-bmc machine is deprecated. It can be easily replaced by the
witherspoon-bmc or the romulus-bmc machines.

4
supported.s390.txt
View File

@ -148,6 +148,10 @@ Deprecated, Superseded, Modified and Dropped Features
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- qemu-img: Deprecate use of -b without -F. Creating an image that requires
format probing of the backing image is potentially unsafe and is now
deprecated.
- The previously non-persistent backing file with pmem=on is deprecated. Modify
VM configuration to set pmem=off to continue using fake NVDIMM with backing
file or move backing file to NVDIMM storage and keep pmem=on.

4
supported.x86.txt
View File

@ -171,6 +171,10 @@ Deprecated, Superseded, Modified and Dropped Features
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- qemu-img: Deprecate use of -b without -F. Creating an image that requires
format probing of the backing image is potentially unsafe and is now
deprecated.
- When no video adapter is specified, the default used is stdvga. This differs
from the default of prior releases which was cirrus. The cirrus adapter was
considered too outdated to continue to use as the default.