Category Archives: Uncategorized

NBD over AF_VSOCK

How do you talk to a virtual machine from the host? How does the virtual machine talk to the host? In one sense the answer is obvious: virtual machines should be thought of just like regular machines so you use the network. However the connection between host and guest is a bit more special. Suppose you want to pass a host directory up to the guest? You could use NFS, but that’s sucky to set up and you’ll have to fiddle around with firewalls and ports. Suppose you run a guest agent reporting stats back to the hypervisor. How do they talk? Network, sure, but again that requires an extra network interface and the guest has to explicitly set up firewall rules.

A few years ago my colleague Stefan Hajnoczi ported VMware’s vsock to qemu. It’s a pure guest⟷host (and guest⟷guest) sockets API. It doesn’t use regular networks so no firewall issues or guest network configuration to worry about.

You can run NFS over vsock [PDF] if you want.

And now you can of course run NBD over vsock. nbdkit supports it, and libnbd is (currently the only!) client.

Leave a comment

Filed under Uncategorized

Music with the Synthstrom Deluge

I bought a Deluge a while back, and I’ve owned synthesizers and kaossilators and all kinds of other things for years. The Deluge is several things: expensive, awkward to use, but (with practice) it can make some reasonable music. Here are some ambient tunes I’ve written with it:

Soundscape (with Japanese TV)

Trips

Cookie Sunday

Sunday Bells

I’m not going to pretend that any of this is good music, but it’s a lot of fun to make.

Leave a comment

Filed under Uncategorized

libnbd + FUSE = nbdfuse

I’ve talked before about libnbd, our NBD client library. New in libnbd 1.2 is a tool called nbdfuse which lets you turn NBD servers into virtual files.

A couple of weeks ago I mentioned you can use libnbd as a C library to edit qcow2 files. Now you can turn qcow2 files into virtual raw files:

$ mkdir dir
$ nbdfuse dir/file.raw \
      --socket-activation qemu-nbd -f qcow2 file.qcow2
$ ls -l dir/
total 0
-rw-rw-rw-. 1 nbd nbd 1073741824 Jan  1 10:10 file.raw

Reads and writes to file.raw are backed by the original qcow2 file which is updated in real time.

Another fun thing to do is to use nbdkit, xz filter and curl to turn xz-compressed remote disk images into uncompressed local files:

$ mkdir dir
$ nbdfuse dir/disk.img \
      --command nbdkit -s curl --filter=xz \
                       http://builder.libguestfs.org/fedora-30.xz
$ ls -l dir/
total 0
-rw-rw-rw-. 1 nbd nbd 6442450944 Jan  1 10:10 disk.img
$ file dir/disk.img
dir/disk.img: DOS/MBR boot sector
$ qemu-system-x86_64 -m 4G \
      -drive file=dir/disk.img,format=raw,if=virtio,snapshot=on

Leave a comment

Filed under Uncategorized

Using American Fuzzy Lop on network clients

Previously I’ve fuzzed hivex and nbdkit using my favourite fuzzing tool, Michał Zalewski’s American Fuzzy Lop (AFL).

AFL works by creating test cases which are files on disk, and then feeding those to programs which have been specially compiled so that AFL can trace into them and find out which parts of the code are run by the test case. It then adjusts the test cases and repeats, aiming to run more parts of the code and find ways to crash the program.

This works well for programs that parse files (like hivex, but also binary parsers of all sorts and XML parsers and similar). It can also be used to fuzz some servers where you can feed a file to the server and discard anything the server sends back. In nbdkit we can use the nbdkit -s option to do exactly this, making it easy to fuzz.

However it’s not obvious how you could use this to fuzz network clients. As readers will know we’ve been writing a new NBD client library called libnbd. But can we fuzz this? And find bugs? As it happens yes, and ooops — yes — AFL found a remote code execution bug allowing complete takeover of the client by a malicious server.

The trick to fuzzing a network client is to do the server thing in reverse. We set up a phony server which feeds the test case back to the client socket, while discarding anything that the client writes:

libnbd.svg

This is wrapped up into a single wrapper program which takes the test case on the command line and forks itself to make the client and server sides connected by a socket. This allows easy integration into an AFL workflow.

We found our Very Serious Bug within 3 days of fuzzing.

Leave a comment

Filed under Uncategorized

And another boot sector hack

This is Sakura by Řrřola. I have modified it very slightly to turn it into a boot sector program.

sakura

You can run it like this. Note it takes a few seconds to start up.

nbdkit data data="
  49 192 49 219 185 255 0 190 0 1 191 254 255 189 28 9 176 19 205 16 
  104 0 160 7 0 198 142 234 186 200 3 137 200 238 66 238 208 232 238 
  208 232 238 226 240 49 255 214 101 134 5 8 192 117 8 107 199 255 193 
  248 9 12 64 170 9 255 117 235 140 196 228 64 12 1 107 192 85 128 204 
  128 80 9 228 120 245 177 255 81 140 198 133 100 6 116 104 184 255 255 
  137 243 140 199 57 247 116 32 133 101 6 116 27 87 86 80 49 237 177 3 
  173 43 5 247 232 1 213 175 226 246 88 94 95 57 232 114 3 149 137 251 
  131 239 8 120 215 137 68 6 177 3 173 43 7 209 248 107 208 128 112 249 
  107 237 85 137 234 0 240 41 68 254 67 67 226 232 131 238 6 131 108 2 
  176 139 68 4 193 232 11 89 81 128 249 208 114 4 122 2 4 160 232 18 0 
  131 238 8 120 142 89 228 96 60 1 224 132 15 133 86 255 205 32 139 28 
  193 251 7 15 190 108 3 191 9 0 193 233 5 41 207 137 250 137 249 96 1 
  213 1 203 105 253 64 1 141 185 226 159 101 56 5 115 3 101 136 5 97 
  226 232 74 117 227 195 @0x1fe 0x55 0xAA
" --run 'qemu-system-i386 -hda $nbd'

Leave a comment

Filed under Uncategorized

Another NBD boot sector hack

war

I was shown a link to an incredible 64 byte MS-DOS demo called into war by HellMood/DESiRE.

It doesn’t actually depend on MS-DOS however, using only BIOS calls and PC hardware, so it was easy to turn it into a boot sector. We can use nbdkit-data-plugin to run it from the command line:

nbdkit data data="
  49 192 80 185 255 0 190 0 1 191 254 255 189 28 9 20 19 186 48 3 243
  110 205 16 184 79 12 230 64 226 247 31 104 0 165 7 184 205 204 247
  231 137 232 128 238 246 246 246 146 44 127 246 234 2 22 108 4 146 48
  198 246 238 212 9 156 157 44 116 170 175 235 220 201 56 153 70 103 81
  127 @0x1fe 0x55 0xAA" --run 'qemu-system-i386 -hda $nbd'

Previously …

1 Comment

Filed under Uncategorized

How to edit a qcow2 file from C

Suppose you want to edit or read or write the data inside a qcow2 file? One way is to use libguestfs, and that’s the recommended way if you need to mount a filesystem inside the file.

But for accessing the data blocks alone, you can now use the libnbd API and qemu-nbd together and this has a couple of advantages: It’s faster and you can open snapshots (which libguestfs cannot do).

We start by creating a libnbd handle and connecting it to a qemu-nbd instance. The qemu-nbd instance is linked with qemu’s internal drivers that know how to read and write qcow2.

  const char *filename;
  struct nbd_handle *nbd;

  nbd = nbd_create ();
  if (nbd == NULL) {
    fprintf (stderr, "%s\n", nbd_get_error ());
    exit (EXIT_FAILURE);
  }

  char *args[] = {
    "qemu-nbd", "-f", "qcow2",
    // "-s", snapshot,
    (char *) filename,
    NULL
  };
  if (nbd_connect_systemd_socket_activation (nbd, args) == -1) {
    fprintf (stderr, "%s\n", nbd_get_error ());
    exit (EXIT_FAILURE);
  }

Now you can get the virtual size:

  int64_t size = nbd_get_size (nbd);
  printf ("virtual size = %" PRIi64 "\n", size);

Or read and write sectors from the file:

  if (nbd_pread (nbd, buf, sizeof buf, 0, 0) == -1) {
    fprintf (stderr, "%s\n", nbd_get_error ());
    exit (EXIT_FAILURE);
  }

Once you’re done with the file, call nbd_close on the handle which will also shut down the qemu-nbd process.

A complete example can be found here.

1 Comment

Filed under Uncategorized