All of lore.kernel.org
 help / color / mirror / Atom feed
From: Anthony PERARD <anthony.perard@citrix.com>
To: George Dunlap <george.dunlap@citrix.com>
Cc: Ian Jackson <ian.jackson@citrix.com>,
	Wei Liu <wei.liu2@citrix.com>,
	xen-devel@lists.xenproject.org
Subject: Re: [RFC 1/4] libxl: Learned to send FD through QMP to QEMU
Date: Tue, 27 Mar 2018 12:49:52 +0100	[thread overview]
Message-ID: <20180327114952.GD2208@perard> (raw)
In-Reply-To: <af22f104-0239-ca16-0b2a-7d5e137f1760@citrix.com>

On Tue, Mar 27, 2018 at 11:58:45AM +0100, George Dunlap wrote:
> On 03/27/2018 11:29 AM, Ian Jackson wrote:
> > This 2nd patch looks reasonable, but it prompted to notice two new
> > kinds of hazard introduced by the deprivileging design goal:
> > 
> >>  int libxl__qmp_save(libxl__gc *gc, int domid, const char *filename, bool live)
> >>  {
> > ...
> >> +    rc = qmp_synchronous_send(qmp, "add-fd", NULL,
> >> +                              qmp_fdset_add_fd_callback, &new_fdset,
> >> +                              qmp->timeout);
> >> +    if (rc)
> >> +        goto out;
> > 
> > By this point, a depriv'd qemu must be assumed to be compromised by
> > its guest - ie we must treat it as hostile.
> > 
> > This is not consistent with use of qmp_synchronous_send, because
> > qmp_synchronous_send will block with both the domain and ctx locks
> > held.  That is, a malicious qemu can deny service; it even has the
> > ability to prevent its serviced domain from being destroyed.
> 
> Will qmp_synchronous_send() wait forever, or is there a timeout?

There is some kind of timeout, but I'm not sure it is true at all time.

This is a few functions that does handle connection/send/receive:
- qmp_open()
  this one as a 5s timeout on connecting to the socket.
- qmp_send()
  This use write/sendmsg with no timeout, but the fd is set to
  O_NONBLOCK.
- qmp_next()
  This function use select with a 5s timeout, so read should not block.
  But I think the timout is reset every time something have been read
  from the socket.

So I guess a malicious qemu could have the qmp_next() function wait
forever.

Also I think every time a "response" or an "event" is processed,
qmp_next() will return, and qmp_synchronous_send() will call qmp_next
again until it got the response it is waiting for.

So a few opportunity to wait forever.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2018-03-27 11:49 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-26 18:33 [RFC 0/4] libxl: Enable save/restore/migration of a restricted QEMU Anthony PERARD
2018-03-26 18:33 ` [RFC 1/4] libxl: Learned to send FD through QMP to QEMU Anthony PERARD
2018-03-27 10:29   ` Ian Jackson
2018-03-27 10:58     ` George Dunlap
2018-03-27 11:49       ` Anthony PERARD [this message]
2018-04-16 16:11     ` Anthony PERARD
2018-03-26 18:33 ` [RFC 2/4] libxl: Have QEMU save its state to a file descriptor Anthony PERARD
2018-03-26 18:34 ` [RFC 3/4] libxl_qmp: Implement query-status command Anthony PERARD
2018-03-26 18:34 ` [RFC 4/4] HACK libxl_exec: Check QEMU status via QMP instead of xenstore Anthony PERARD
2018-03-27 10:36   ` Ian Jackson
2018-03-27 11:13     ` Anthony PERARD
2018-03-27 13:43       ` Ian Jackson
2018-03-27 14:20         ` Anthony PERARD
2018-03-27 14:48           ` Ian Jackson
2018-03-27 17:58             ` Anthony PERARD

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180327114952.GD2208@perard \
    --to=anthony.perard@citrix.com \
    --cc=george.dunlap@citrix.com \
    --cc=ian.jackson@citrix.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.