qemu-nbd format-guessing due to missing format specification
The qemu-nbd tool (shipped in the Xen hypervisor tools distribution as qemu-nbd-xen) autodetects the image format.
If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original one. This could lead to a scenario in which after restart of that guest, qemu-nbd would detect the new apparent format of the image, including a specified backing file or device, which could allow the guest to read any file on the host.
Add -f FMT / –format FMT arg to qemu-nbd
Currently the qemu-nbd program will auto-detect the format of any disk it is given. This behaviour is known to be insecure. For example, if qemu-nbd initially exposes a ‘raw’ file to an unprivileged app, and that app runs
qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
then the next time the app is started, the qemu-nbd will now detect it as a ‘qcow2’ file and expose /etc/shadow to the unprivileged app.
The only way to avoid this is to explicitly tell qemu-nbd what disk format to use on the command line, completely disabling auto-detection. This patch adds a ‘-f’ / ‘–format’ arg for this purpose, mirroring what is already available via qemu-img and qemu commands.
qemu-nbd --format raw -p 9000 evil.img
will now always use raw, regardless of what format ‘evil.img’ looks like it contains
If qemu-nbd is used, a malicious guest administrator may be able to read any file on the host, depending exactly how.