From nobody Sun Feb 8 20:37:56 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1581959707582776.2172709881322; Mon, 17 Feb 2020 09:15:07 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-393--4FAnrj3O96Sqm98Fc6Dhw-1; Mon, 17 Feb 2020 12:14:38 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6AD86107ACCD; Mon, 17 Feb 2020 17:14:31 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3C2D360BFB; Mon, 17 Feb 2020 17:14:31 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E5A601832DF3; Mon, 17 Feb 2020 17:14:30 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 01HHECmE018730 for ; Mon, 17 Feb 2020 12:14:12 -0500 Received: by smtp.corp.redhat.com (Postfix) id 5019010001AE; Mon, 17 Feb 2020 17:14:12 +0000 (UTC) Received: from angien.redhat.com (unknown [10.43.2.48]) by smtp.corp.redhat.com (Postfix) with ESMTP id C97C410021B2 for ; Mon, 17 Feb 2020 17:14:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581959706; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=qXvZOYnmGHe+Tb7/qEP071Jbqro1Joxt0wRH38W2WSs=; b=XD+87TlaqpkDKdl94JDGjn+DsJOhpgLQDXbaW1PtOMwyEL2vuQzgIqED0EXE/u87UpinGr pa8D76wuiek0mEeRiRUxhdGlxxieCoBYO4tqbvezcmBEH0t7U7+puA0sDZjd4lb4DlYQer iXjidwLY5SxQ57G2NzFJuxmg6ONW1vg= From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 8/9] virStorageFileGetMetadataRecurse: Allow format probing under special circumstances Date: Mon, 17 Feb 2020 18:13:58 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: -4FAnrj3O96Sqm98Fc6Dhw-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Allow format probing to work around lazy clients which did not specify their format in the overlay. Format probing will be allowed only, if we are able to probe the image, the probing result was successful and the probed image does not have any backing or data file. This relaxes the restrictions which were imposed in commit 3615e8b39bad in cases when we know that the image probing will not result in security issues or data corruption. We perform the image format detection and in the case that we were able to probe the format and the format does not specify a backing store (or doesn't support backing store) we can use this format. With pre-blockdev configurations this will restore the previous behaviour for the images mentioned above as qemu would probe the format anyways. It also improves error reporting compared to the old state as we now report that the backing chain will be broken in case when there is a backing file. In blockdev configurations this ensures that libvirt will not cause data corruption by ending the chain prematurely without notifying the user, but still allows the old semantics when the users forgot to specify the format. The price for this is that libvirt will need to keep the image format detector still current and working or replace it by invocation of qemu-img. Signed-off-by: Peter Krempa --- src/util/virstoragefile.c | 52 ++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index b984204b93..bbdf7be094 100644 --- a/src/util/virstoragefile.c +++ b/src/util/virstoragefile.c @@ -5010,6 +5010,7 @@ virStorageFileGetMetadataRecurse(virStorageSourcePtr = src, virHashTablePtr cycle, unsigned int depth) { + virStorageFileFormat orig_format =3D src->format; size_t headerLen; int backingFormat; int rv; @@ -5020,10 +5021,17 @@ virStorageFileGetMetadataRecurse(virStorageSourcePt= r src, NULLSTR(src->path), src->format, (unsigned int)uid, (unsigned int)gid); + if (src->format =3D=3D VIR_STORAGE_FILE_AUTO_SAFE) + src->format =3D VIR_STORAGE_FILE_AUTO; + /* exit if we can't load information about the current image */ rv =3D virStorageFileSupportsBackingChainTraversal(src); - if (rv <=3D 0) + if (rv <=3D 0) { + if (orig_format =3D=3D VIR_STORAGE_FILE_AUTO) + return -2; + return rv; + } if (virStorageFileGetMetadataRecurseReadHeader(src, parent, uid, gid, &buf, &headerLen, cycle= ) < 0) @@ -5032,6 +5040,18 @@ virStorageFileGetMetadataRecurse(virStorageSourcePtr= src, if (virStorageFileGetMetadataInternal(src, buf, headerLen, &backingFor= mat) < 0) return -1; + /* If we probed the format we MUST ensure that nothing else than the c= urrent + * image (this includes both backing files and external data store) is + * considered for security labelling and/or recursion. */ + if (orig_format =3D=3D VIR_STORAGE_FILE_AUTO) { + if (src->backingStoreRaw || src->externalDataStoreRaw) { + src->format =3D VIR_STORAGE_FILE_RAW; + VIR_FREE(src->backingStoreRaw); + VIR_FREE(src->externalDataStoreRaw); + return -2; + } + } + if (src->backingStoreRaw) { if ((rv =3D virStorageSourceNewFromBacking(src, &backingStore)) < = 0) return -1; @@ -5042,33 +5062,21 @@ virStorageFileGetMetadataRecurse(virStorageSourcePt= r src, backingStore->format =3D backingFormat; - if (backingStore->format =3D=3D VIR_STORAGE_FILE_AUTO) { - /* Assuming the backing store to be raw can lead to failures. = We do - * it only when we must not report an error to prevent losing = VMs. - * Otherwise report an error. - */ - if (report_broken) { + if ((rv =3D virStorageFileGetMetadataRecurse(backingStore, parent, + uid, gid, + report_broken, + cycle, depth + 1)) < 0)= { + if (!report_broken) + return 0; + + if (rv =3D=3D -2) { virReportError(VIR_ERR_OPERATION_INVALID, _("format of backing image '%s' of image '%= s' was not specified in the image metadata " "(See https://libvirt.org/kbase/backing_c= hains.html for troubleshooting)"), src->backingStoreRaw, NULLSTR(src->path)); - return -1; } - backingStore->format =3D VIR_STORAGE_FILE_RAW; - } - - if (backingStore->format =3D=3D VIR_STORAGE_FILE_AUTO_SAFE) - backingStore->format =3D VIR_STORAGE_FILE_AUTO; - - if (virStorageFileGetMetadataRecurse(backingStore, parent, - uid, gid, - report_broken, - cycle, depth + 1) < 0) { - if (report_broken) - return -1; - else - return 0; + return -1; } backingStore->id =3D depth; --=20 2.24.1