From nobody Mon Sep 16 19:03:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1719938532; cv=none; d=zohomail.com; s=zohoarc; b=OxtwHMmmPqefy8xzBg0vJAtsMfWBcPGvdtKWI5tzIUJIwP1zGAoAv3w/HHUi6xGgss5s4jqYSfA2LT3WMVQPFvHgPjDvbiZ1Gw5DuMvrC0c+pxOGqKvJ8M5yln2B/FU46WmfdNu5QywPGSUPqEBoymik89+3PJzEmPXELzP+zNc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719938532; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0sszMcQ9HKCsFtPXabnsiH9GPa27av1dB9YF+5jtJfU=; b=DZHvwkQANoKfNUm7wSEhGt7BNPrcm4nMnfJWZlrbaMdND4i9w6MIXX9/HPrBPACHmL2th0llSIAhWEvwmg59hJlCFu8ng20AtBhiMP+rhH2z8YtxZdMh3epcLH+MkJPGIiZyGr5YHb/nY8/hYCk6kFq8eONw8c+wbmh9jsxWPpY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1719938532587249.48005119696938; Tue, 2 Jul 2024 09:42:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOgYI-0005py-Gv; Tue, 02 Jul 2024 12:40:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYD-0005ne-1c for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgY3-0008Oz-7M for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:16 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-681-94qxzfOONoK38G1qoMJnfA-1; Tue, 02 Jul 2024 12:40:03 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2099D196CDE1; Tue, 2 Jul 2024 16:40:02 +0000 (UTC) Received: from merkur.redhat.com (unknown [10.39.192.206]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D3E4819560AE; Tue, 2 Jul 2024 16:39:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719938406; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0sszMcQ9HKCsFtPXabnsiH9GPa27av1dB9YF+5jtJfU=; b=Ih5wc/zW+EAenX67Iz2LWfyo09EM2qTqAM94Glxkbk0o0sBEUdW5jXqLDvJilt8lVnhqk6 48zk2O6fq+DSfOWvfUrpS5pBR4nfbJbta0h1AD+Ebbkp/znqMsvk/H4tL5gKAnsQbcmKDk Bf1irtPXmfDYavI4MV8V2RoNy+2XHuo= X-MC-Unique: 94qxzfOONoK38G1qoMJnfA-1 From: Kevin Wolf To: qemu-block@nongnu.org Cc: kwolf@redhat.com, richard.henderson@linaro.org, hreitz@redhat.com, eblake@redhat.com, stefanha@redhat.com, qemu-devel@nongnu.org, qemu-stable@nongnu.org Subject: [PULL 1/4] qcow2: Don't open data_file with BDRV_O_NO_IO Date: Tue, 2 Jul 2024 18:39:40 +0200 Message-ID: <20240702163943.276618-2-kwolf@redhat.com> In-Reply-To: <20240702163943.276618-1-kwolf@redhat.com> References: <20240702163943.276618-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kwolf@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1719938532936100003 Content-Type: text/plain; charset="utf-8" One use case for 'qemu-img info' is verifying that untrusted images don't reference an unwanted external file, be it as a backing file or an external data file. To make sure that calling 'qemu-img info' can't already have undesired side effects with a malicious image, just don't open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do I/O, we don't need to have it open. This changes the output of iotests case 061, which used 'qemu-img info' to show that opening an image with an invalid data file fails. After this patch, it succeeds. Replace this part of the test with a qemu-io call, but keep the final 'qemu-img info' to show that the invalid data file is correctly displayed in the output. Fixes: CVE-2024-4467 Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi Reviewed-by: Hanna Czenczek --- block/qcow2.c | 17 ++++++++++++++++- tests/qemu-iotests/061 | 6 ++++-- tests/qemu-iotests/061.out | 8 ++++++-- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index 10883a2494..70b19730a3 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, = int flags, goto fail; } =20 - if (open_data_file) { + if (open_data_file && (flags & BDRV_O_NO_IO)) { + /* + * Don't open the data file for 'qemu-img info' so that it can be = used + * to verify that an untrusted qcow2 image doesn't refer to extern= al + * files. + * + * Note: This still makes has_data_file() return true. + */ + if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) { + s->data_file =3D NULL; + } else { + s->data_file =3D bs->file; + } + qdict_extract_subqdict(options, NULL, "data-file."); + qdict_del(options, "data-file"); + } else if (open_data_file) { /* Open external data file */ bdrv_graph_co_rdunlock(); s->data_file =3D bdrv_co_open_child(NULL, options, "data-file", bs, diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061 index 53c7d428e3..b71ac097d1 100755 --- a/tests/qemu-iotests/061 +++ b/tests/qemu-iotests/061 @@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=3Dfoo" "$TEST_IMG" echo _make_test_img -o "compat=3D1.1,data_file=3D$TEST_IMG.data" 64M $QEMU_IMG amend -o "data_file=3Dfoo" "$TEST_IMG" -_img_info --format-specific +$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt +$QEMU_IO -c "open -o data-file.filename=3D$TEST_IMG.data,file.filename=3D$= TEST_IMG" -c "read 0 4k" | _filter_qemu_io TEST_IMG=3D"data-file.filename=3D$TEST_IMG.data,file.filename=3D$TEST_IMG"= _img_info --format-specific --image-opts =20 echo $QEMU_IMG amend -o "data_file=3D" --image-opts "data-file.filename=3D$TEST= _IMG.data,file.filename=3D$TEST_IMG" -_img_info --format-specific +$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt +$QEMU_IO -c "open -o data-file.filename=3D$TEST_IMG.data,file.filename=3D$= TEST_IMG" -c "read 0 4k" | _filter_qemu_io TEST_IMG=3D"data-file.filename=3D$TEST_IMG.data,file.filename=3D$TEST_IMG"= _img_info --format-specific --image-opts =20 echo diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out index 139fc68177..24c33add7c 100644 --- a/tests/qemu-iotests/061.out +++ b/tests/qemu-iotests/061.out @@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D671= 08864 qemu-img: data-file can only be set for images that use an external data f= ile =20 Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D67108864 data_file=3DT= EST_DIR/t.IMGFMT.data -qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No suc= h file or directory +qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No suc= h file or directory +read 4096/4096 bytes at offset 0 +4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) image: TEST_DIR/t.IMGFMT file format: IMGFMT virtual size: 64 MiB (67108864 bytes) @@ -560,7 +562,9 @@ Format specific information: corrupt: false extended l2: false =20 -qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for = this image +qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for = this image +read 4096/4096 bytes at offset 0 +4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) image: TEST_DIR/t.IMGFMT file format: IMGFMT virtual size: 64 MiB (67108864 bytes) --=20 2.45.2 From nobody Mon Sep 16 19:03:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1719938532; cv=none; d=zohomail.com; s=zohoarc; b=WQaMH07AaBn4rAcdjnd73VGR4mCUkQsicCo7w5r8uTp7RYi/FzKBrXPM4/QFtiO7tS3aYDdoRQOyTwO/hrKXZeICxQ5nSRpCWQkka3BlKcINGDbIag/jddQKBG0oJBVmc05pcbOkelSx+mNuoXnvJm3D21my4rMVmWbdNjChmww= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719938532; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=oxGSJWJdT1tuYYeevSiIyl83n8PhmxBCYbBIreUSDxg=; b=nNaEdLvXX7eEf5mzBB4nrdoZOc13UwRtbuZNpY51ipCRLJZDiomV7oZLeExMwUQl8KVBYkvr81thIx1XjwrAJL9bFwYkWjf90ljRrIsls2cehxg0L8SkIOnEtWFIv2GpZq7ajycra6pZ6z3huhdqbylgodp4zazAvKtHt2GeCF0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 171993853279531.63458119794177; Tue, 2 Jul 2024 09:42:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOgYE-0005nm-BF; Tue, 02 Jul 2024 12:40:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYA-0005nB-L2 for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:14 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgY6-0008PJ-0T for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:12 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-517-R-mH694RNCukfjG7t9lWOA-1; Tue, 02 Jul 2024 12:40:07 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 01D501955E7D; Tue, 2 Jul 2024 16:40:05 +0000 (UTC) Received: from merkur.redhat.com (unknown [10.39.192.206]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7C6EA19560AD; Tue, 2 Jul 2024 16:40:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719938408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oxGSJWJdT1tuYYeevSiIyl83n8PhmxBCYbBIreUSDxg=; b=eclsm5JJJVSRWTJQTLWdFhWDPRgffhRyn4Bwd1myifTcP0p7sbeasspRJoEls2QBhydlDK gpGFEjQqYzOXmaHKrQLYYtLNjQIdoy1fsf1JcRr96palWJ/bdIiHdKH/5kJINoZ0sKmbnK NQ52AcT0rrTZvkIfJkISiLAjh8jz7E8= X-MC-Unique: R-mH694RNCukfjG7t9lWOA-1 From: Kevin Wolf To: qemu-block@nongnu.org Cc: kwolf@redhat.com, richard.henderson@linaro.org, hreitz@redhat.com, eblake@redhat.com, stefanha@redhat.com, qemu-devel@nongnu.org, qemu-stable@nongnu.org Subject: [PULL 2/4] iotests/244: Don't store data-file with protocol in image Date: Tue, 2 Jul 2024 18:39:41 +0200 Message-ID: <20240702163943.276618-3-kwolf@redhat.com> In-Reply-To: <20240702163943.276618-1-kwolf@redhat.com> References: <20240702163943.276618-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=kwolf@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1719938534882100017 Content-Type: text/plain; charset="utf-8" We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi Reviewed-by: Hanna Czenczek --- tests/qemu-iotests/244 | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244 index 3e61fa25bb..bb9cc6512f 100755 --- a/tests/qemu-iotests/244 +++ b/tests/qemu-iotests/244 @@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_I= MG.src" "$TEST_IMG" $QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" =20 # blkdebug doesn't support copy offloading, so this tests the error path -$QEMU_IMG amend -f $IMGFMT -o "data_file=3Dblkdebug::$TEST_IMG.data" "$TES= T_IMG" -$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" -$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" +test_img_with_blkdebug=3D"json:{ + 'driver': 'qcow2', + 'file': { + 'driver': 'file', + 'filename': '$TEST_IMG' + }, + 'data-file': { + 'driver': 'blkdebug', + 'image': { + 'driver': 'file', + 'filename': '$TEST_IMG.data' + } + } +}" +$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_w= ith_blkdebug" +$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_bl= kdebug" =20 echo echo "=3D=3D=3D Flushing should flush the data file =3D=3D=3D" --=20 2.45.2 From nobody Mon Sep 16 19:03:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1719938532; cv=none; d=zohomail.com; s=zohoarc; b=UHrQ0D+SoAJsMHYt2tucl1KqDexYhV6q9uM8Y+PVfdXp8qgvgzhI2OKVRyfzOryv4b2viqW948d/bsXOMmCGSkZYCaWEepU9H0ekeSy6cLpI7siW7sSQgueXsDsxIUlL1sUCzPLgazikym4ubhIj+AjxsIhl34Z/NXHFM1yiOGQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719938532; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IuvqgqvZpc9QZjDHiqWBEWq/Br6y0CM8OiQCxZHzy68=; b=keL2lDvvhtRSooC5WUvav2LveM16+KaCiV+PCG2JY7LWkP+16sohXgo0WpzFzDXSpv5PppNuS/U2if4tS8KQWCOyonaJ+8nDGfcSxgfWAxO/A9SIz/EIcqJDi+SvSYSatF2Ei/70+C5MnfIZEm/4iTRW54Psr1sWwLn0MKy+x9c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1719938532711845.0237752739323; Tue, 2 Jul 2024 09:42:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOgYH-0005qE-D6; Tue, 02 Jul 2024 12:40:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYC-0005nZ-Or for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:17 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYA-0008Qi-Ca for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:15 -0400 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-618-RGPdsKUIOgy3jPbrAjKKBw-1; Tue, 02 Jul 2024 12:40:09 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DC3021944D3D; Tue, 2 Jul 2024 16:40:07 +0000 (UTC) Received: from merkur.redhat.com (unknown [10.39.192.206]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 225D71955E95; Tue, 2 Jul 2024 16:40:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719938413; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IuvqgqvZpc9QZjDHiqWBEWq/Br6y0CM8OiQCxZHzy68=; b=CsMgHMtiz+xaqRwYcgx+KZM1xfKo/oi4dC1YGQy4iLOzEbBqsiBi1qCiJFcpQspjgI+PP6 jiiMXAvfHUVszsm9XA8YuJxtx5hU2Uxf7I3GXycyMyONMOpG61vT1isCNJaIv3Uujzboun BNfbvJQGDKOOSDahVHHiTWFKs6AZIKY= X-MC-Unique: RGPdsKUIOgy3jPbrAjKKBw-1 From: Kevin Wolf To: qemu-block@nongnu.org Cc: kwolf@redhat.com, richard.henderson@linaro.org, hreitz@redhat.com, eblake@redhat.com, stefanha@redhat.com, qemu-devel@nongnu.org, qemu-stable@nongnu.org Subject: [PULL 3/4] iotests/270: Don't store data-file with json: prefix in image Date: Tue, 2 Jul 2024 18:39:42 +0200 Message-ID: <20240702163943.276618-4-kwolf@redhat.com> In-Reply-To: <20240702163943.276618-1-kwolf@redhat.com> References: <20240702163943.276618-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kwolf@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1719938532919100001 Content-Type: text/plain; charset="utf-8" We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi Reviewed-by: Hanna Czenczek --- tests/qemu-iotests/270 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270 index 74352342db..c37b674aa2 100755 --- a/tests/qemu-iotests/270 +++ b/tests/qemu-iotests/270 @@ -60,8 +60,16 @@ _make_test_img -o cluster_size=3D2M,data_file=3D"$TEST_I= MG.orig" \ # "write" 2G of data without using any space. # (qemu-img create does not like it, though, because null-co does not # support image creation.) -$QEMU_IMG amend -o data_file=3D"json:{'driver':'null-co',,'size':'42949672= 96'}" \ - "$TEST_IMG" +test_img_with_null_data=3D"json:{ + 'driver': '$IMGFMT', + 'file': { + 'filename': '$TEST_IMG' + }, + 'data-file': { + 'driver': 'null-co', + 'size':'4294967296' + } +}" =20 # This gives us a range of: # 2^31 - 512 + 768 - 1 =3D 2^31 + 255 > 2^31 @@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file=3D"json:{'driver':'null-co',= ,'size':'4294967296'}" \ # on L2 boundaries, we need large L2 tables; hence the cluster size of # 2 MB. (Anything from 256 kB should work, though, because then one L2 # table covers 8 GB.) -$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io +$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _f= ilter_qemu_io =20 _check_test_img =20 --=20 2.45.2 From nobody Mon Sep 16 19:03:04 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1719938532; cv=none; d=zohomail.com; s=zohoarc; b=Y+Yi76A4k6LeVVFtxFiZpSwNKNn9EJlAcx8Dohcm+zBVFqfmOvsAGnUMWw2q+nrTITCkjDGqM+pUU32EBlSvMAECoEYSm2ph3DSGRZJxRDg1eluKmqNrrieKcrXSP8Nim1BSgxWeLyFbas5nmPqin91nUpGKYkkPkvCA+F8k6eA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719938532; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zWVX6cfWRQvvKI/3LXmG+yhgq8BUqI5XgdFlDNcxlOk=; b=d3bgA7kz+WkpzmzUg4nIKW+vQvidQJBwLpzU/Ho7wxVH5rx0oEB9tOQEHTnjAoBgcvjJycGlIT/SrgzNdfkHV7i23tVkdqx4SOnzbjXFbiiGplIUXh9Io8FACn5dGPOE2U5Crez+FUBENxvJk71TwLRXWDVSkYYSIs5vwL2yz0s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1719938532759305.46976127597384; Tue, 2 Jul 2024 09:42:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOgYI-0005rd-CY; Tue, 02 Jul 2024 12:40:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYE-0005ok-OC for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOgYC-0008Rh-By for qemu-devel@nongnu.org; Tue, 02 Jul 2024 12:40:18 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-144-DayalJDOOaek8AoOjWF7GA-1; Tue, 02 Jul 2024 12:40:12 -0400 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 34275196CE1C; Tue, 2 Jul 2024 16:40:11 +0000 (UTC) Received: from merkur.redhat.com (unknown [10.39.192.206]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 24F5819560AD; Tue, 2 Jul 2024 16:40:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719938415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zWVX6cfWRQvvKI/3LXmG+yhgq8BUqI5XgdFlDNcxlOk=; b=OwWLm3N0VIUyKqGVakhOeDKHHb/wyX2t8Ja6xicVfdNrGnViKUp6phDWBnNahw8U6wUIlj oXQZuDf7Fu8WOn834XJSddK4RixtwfoKB02T3uPK6ACMyeZ5oJUDkBBsMAxnpvHtoF2TVk 82LqJMVvwdAgIl47RXxjflS+o3CtcCc= X-MC-Unique: DayalJDOOaek8AoOjWF7GA-1 From: Kevin Wolf To: qemu-block@nongnu.org Cc: kwolf@redhat.com, richard.henderson@linaro.org, hreitz@redhat.com, eblake@redhat.com, stefanha@redhat.com, qemu-devel@nongnu.org, qemu-stable@nongnu.org Subject: [PULL 4/4] block: Parse filenames only when explicitly requested Date: Tue, 2 Jul 2024 18:39:43 +0200 Message-ID: <20240702163943.276618-5-kwolf@redhat.com> In-Reply-To: <20240702163943.276618-1-kwolf@redhat.com> References: <20240702163943.276618-1-kwolf@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=kwolf@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1719938534912100018 Content-Type: text/plain; charset="utf-8" When handling image filenames from legacy options such as -drive or from tools, these filenames are parsed for protocol prefixes, including for the json:{} pseudo-protocol. This behaviour is intended for filenames that come directly from the command line and for backing files, which may come from the image file itself. Higher level management tools generally take care to verify that untrusted images don't contain a bad (or any) backing file reference; 'qemu-img info' is a suitable tool for this. However, for other files that can be referenced in images, such as qcow2 data files or VMDK extents, the string from the image file is usually not verified by management tools - and 'qemu-img info' wouldn't be suitable because in contrast to backing files, it already opens these other referenced files. So here the string should be interpreted as a literal local filename. More complex configurations need to be specified explicitly on the command line or in QMP. This patch changes bdrv_open_inherit() so that it only parses filenames if a new parameter parse_filename is true. It is set for the top level in bdrv_open(), for the file child and for the backing file child. All other callers pass false and disable filename parsing this way. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake Reviewed-by: Stefan Hajnoczi Reviewed-by: Hanna Czenczek --- block.c | 90 ++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 33 deletions(-) diff --git a/block.c b/block.c index c1cc313d21..c317de9eaa 100644 --- a/block.c +++ b/block.c @@ -86,6 +86,7 @@ static BlockDriverState *bdrv_open_inherit(const char *fi= lename, BlockDriverState *parent, const BdrvChildClass *child_cla= ss, BdrvChildRole child_role, + bool parse_filename, Error **errp); =20 static bool bdrv_recurse_has_child(BlockDriverState *bs, @@ -2055,7 +2056,8 @@ static void parse_json_protocol(QDict *options, const= char **pfilename, * block driver has been specified explicitly. */ static int bdrv_fill_options(QDict **options, const char *filename, - int *flags, Error **errp) + int *flags, bool allow_parse_filename, + Error **errp) { const char *drvname; bool protocol =3D *flags & BDRV_O_PROTOCOL; @@ -2097,7 +2099,7 @@ static int bdrv_fill_options(QDict **options, const c= har *filename, if (protocol && filename) { if (!qdict_haskey(*options, "filename")) { qdict_put_str(*options, "filename", filename); - parse_filename =3D true; + parse_filename =3D allow_parse_filename; } else { error_setg(errp, "Can't specify 'file' and 'filename' options = at " "the same time"); @@ -3660,7 +3662,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDic= t *parent_options, } =20 backing_hd =3D bdrv_open_inherit(backing_filename, reference, options,= 0, bs, - &child_of_bds, bdrv_backing_role(bs), e= rrp); + &child_of_bds, bdrv_backing_role(bs), t= rue, + errp); if (!backing_hd) { bs->open_flags |=3D BDRV_O_NO_BACKING; error_prepend(errp, "Could not open backing file: "); @@ -3694,7 +3697,8 @@ free_exit: static BlockDriverState * bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref= _key, BlockDriverState *parent, const BdrvChildClass *child_c= lass, - BdrvChildRole child_role, bool allow_none, Error **errp) + BdrvChildRole child_role, bool allow_none, + bool parse_filename, Error **errp) { BlockDriverState *bs =3D NULL; QDict *image_options; @@ -3725,7 +3729,8 @@ bdrv_open_child_bs(const char *filename, QDict *optio= ns, const char *bdref_key, } =20 bs =3D bdrv_open_inherit(filename, reference, image_options, 0, - parent, child_class, child_role, errp); + parent, child_class, child_role, parse_filename, + errp); if (!bs) { goto done; } @@ -3735,6 +3740,33 @@ done: return bs; } =20 +static BdrvChild *bdrv_open_child_common(const char *filename, + QDict *options, const char *bdref= _key, + BlockDriverState *parent, + const BdrvChildClass *child_class, + BdrvChildRole child_role, + bool allow_none, bool parse_filen= ame, + Error **errp) +{ + BlockDriverState *bs; + BdrvChild *child; + + GLOBAL_STATE_CODE(); + + bs =3D bdrv_open_child_bs(filename, options, bdref_key, parent, child_= class, + child_role, allow_none, parse_filename, errp); + if (bs =3D=3D NULL) { + return NULL; + } + + bdrv_graph_wrlock(); + child =3D bdrv_attach_child(parent, bs, bdref_key, child_class, child_= role, + errp); + bdrv_graph_wrunlock(); + + return child; +} + /* * Opens a disk image whose options are given as BlockdevRef in another bl= ock * device's options. @@ -3758,27 +3790,15 @@ BdrvChild *bdrv_open_child(const char *filename, BdrvChildRole child_role, bool allow_none, Error **errp) { - BlockDriverState *bs; - BdrvChild *child; - - GLOBAL_STATE_CODE(); - - bs =3D bdrv_open_child_bs(filename, options, bdref_key, parent, child_= class, - child_role, allow_none, errp); - if (bs =3D=3D NULL) { - return NULL; - } - - bdrv_graph_wrlock(); - child =3D bdrv_attach_child(parent, bs, bdref_key, child_class, child_= role, - errp); - bdrv_graph_wrunlock(); - - return child; + return bdrv_open_child_common(filename, options, bdref_key, parent, + child_class, child_role, allow_none, fal= se, + errp); } =20 /* - * Wrapper on bdrv_open_child() for most popular case: open primary child = of bs. + * This does mostly the same as bdrv_open_child(), but for opening the pri= mary + * child of a node. A notable difference from bdrv_open_child() is that it + * enables filename parsing for protocol names (including json:). * * @parent can move to a different AioContext in this function. */ @@ -3793,8 +3813,8 @@ int bdrv_open_file_child(const char *filename, role =3D parent->drv->is_filter ? (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE; =20 - if (!bdrv_open_child(filename, options, bdref_key, parent, - &child_of_bds, role, false, errp)) + if (!bdrv_open_child_common(filename, options, bdref_key, parent, + &child_of_bds, role, false, true, errp)) { return -EINVAL; } @@ -3839,7 +3859,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef = *ref, Error **errp) =20 } =20 - bs =3D bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, err= p); + bs =3D bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, fal= se, + errp); obj =3D NULL; qobject_unref(obj); visit_free(v); @@ -3929,7 +3950,7 @@ static BlockDriverState * no_coroutine_fn bdrv_open_inherit(const char *filename, const char *reference, QDict *opti= ons, int flags, BlockDriverState *parent, const BdrvChildClass *child_class, BdrvChildRole child_r= ole, - Error **errp) + bool parse_filename, Error **errp) { int ret; BlockBackend *file =3D NULL; @@ -3977,9 +3998,11 @@ bdrv_open_inherit(const char *filename, const char *= reference, QDict *options, } =20 /* json: syntax counts as explicit options, as if in the QDict */ - parse_json_protocol(options, &filename, &local_err); - if (local_err) { - goto fail; + if (parse_filename) { + parse_json_protocol(options, &filename, &local_err); + if (local_err) { + goto fail; + } } =20 bs->explicit_options =3D qdict_clone_shallow(options); @@ -4004,7 +4027,8 @@ bdrv_open_inherit(const char *filename, const char *r= eference, QDict *options, parent->open_flags, parent->options); } =20 - ret =3D bdrv_fill_options(&options, filename, &flags, &local_err); + ret =3D bdrv_fill_options(&options, filename, &flags, parse_filename, + &local_err); if (ret < 0) { goto fail; } @@ -4073,7 +4097,7 @@ bdrv_open_inherit(const char *filename, const char *r= eference, QDict *options, =20 file_bs =3D bdrv_open_child_bs(filename, options, "file", bs, &child_of_bds, BDRV_CHILD_IMAGE, - true, &local_err); + true, true, &local_err); if (local_err) { goto fail; } @@ -4222,7 +4246,7 @@ BlockDriverState *bdrv_open(const char *filename, con= st char *reference, GLOBAL_STATE_CODE(); =20 return bdrv_open_inherit(filename, reference, options, flags, NULL, - NULL, 0, errp); + NULL, 0, true, errp); } =20 /* Return true if the NULL-terminated @list contains @str */ --=20 2.45.2