Bug 444583 (CVE-2008-2004)

Summary: CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: armbru, bburns, berrange, clalance, dwmw2, eteo, hdegoede, security-response-team, sundaram, veillard, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-11 09:03:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 444700, 444701    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch for kvm from Chris Wright
none
Proposed patch for qemu from Chris Wright and Aurelien Jarno none

Description Jan Lieskovsky 2008-04-29 11:23:20 UTC 
Description of problem:

Chris Wright has reported the following kvm qemu block format issue:

<cite>

It is possible for a guest with a raw formatted disk image to write a
header to that disk image describing another format (such as qcow2).
Stopping and subsequent restart of the guest will cause qemu to detect
that format, and could allow the guest to read any host file if qemu is
sufficiently privileged (typical in virt environments).

The patch defaults to existing behaviour (probing based on file contents),
so it still requires the mgmt app (e.g. libvirt xml) to pass a new
"format=raw" parameter for raw disk images.

</cite>
Comment 3 Tomas Hoger 2008-04-29 11:33:44 UTC 
Created attachment 304107 [details]
Proposed patch for kvm from Chris Wright
Comment 4 Tomas Hoger 2008-04-29 11:35:03 UTC 
Created attachment 304108 [details]
Proposed patch for qemu from Chris Wright and Aurelien Jarno

Committed in upstream SVN:

http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4266&r2=4277
http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4278&r2=4279
Comment 5 Tomas Hoger 2008-04-29 11:46:57 UTC 
Proposed patch adds additional parameter -- format=XXX -- to -drive command line
option used by qemu(-kvm), but format auto-detection is still the default.  So
by itself, the patch does not resolve the issue.

Users will have to specify parameter 'format=raw' explicitly if they are running
qemu(-kvm) directly and they use disks with raw format.  Adding support for this
new option to libvirt should probably be considered.
Comment 7 Chris Lalancette 2009-09-11 09:03:51 UTC 
This was fixed in all of the relevant streams, so closing out this tracker but as CURRENTRELEASE.

Chris Lalancette