From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by 2002:a17:906:fcb7:b0:974:3dd3:6e73 with SMTP id qw23csp3487706ejb; Tue, 6 Jun 2023 06:28:01 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5zuDcbkNVq5Gpm10yOj/Ik8QjVRyp40aAfnfiJh+XxV67EN4fm0tHQiG/0dVvuGRokAcDU X-Received: by 2002:a25:21d5:0:b0:bab:d723:d996 with SMTP id h204-20020a2521d5000000b00babd723d996mr2019214ybh.52.1686058081107; Tue, 06 Jun 2023 06:28:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686058081; cv=none; d=google.com; s=arc-20160816; b=t2ac3N+xgqLqHBgi9CdeSxNsfc8lhuj+fJsAzqqgAHQO0ghusLriiM2NR1TGtu6Djg 0ZMEap4wSp8s28rNusgqxZ0w3GQK/v0WTZn0/zsAbQ0l6yAOqsoHv+hCQQbBLIWwSwht fKWeCAb/Q/QA+hNBYdIy+UFaBRWCvkHKfpLOnzbUvbOjJTsf6uvS6pZv93Be+PIMbAUD o611rYUkjnfCN+nWwVfpgi2OcsBb/9dBVyw8yX0zTwkcsXLigj7Qo7JoxFgyvyEaaVVw GPOUsVfu0SVuzoT25CYz2CUfpd0c714sS4CI8J2+YFDr8Q5FxG6dzstKDlbnTsCXiJnJ t3dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=QSslRd3bhx7Jukzkgn8/3M/h2QNk4OZQIUN5UZnhlNg=; b=Cy74/K3Mi6jVeGpy39W+JAAgLcGFm/XxAxj6l29U/WxvxjrH6+P7466liGV3Rjhrzy 9ukZU5287TTZXoMJ0QY8ZWCYZjcX9qKItjRue2Rx2oYAvebqi9KKwsn/3hfs7WcMTsZ+ prMnLcD5syCIQQLVChDHAE58ZpW5x6UF8qJPbWpd/mZp2mSUBh/MxAHFkFNdluCpMIev 7Ax0oUSnTCH7s5jHqvSpmk2gb/dKk80Da0L1pziQUmksSjLA0aNaEdXsngt2p2UxhT5Q ofP5vqFb9CxOc3d8hHC7Y9rUhuvwVEEJsH1Ugi8qeVryaxQTAJ9Cd8m711s5AXQ4qi6N DdXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=I1EVOlGh; spf=pass (google.com: domain of iii@linux.ibm.com designates 148.163.158.5 as permitted sender) smtp.mailfrom=iii@linux.ibm.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com. [148.163.158.5]) by mx.google.com with ESMTPS id e4-20020a256904000000b00ba857f6f45csi8579161ybc.195.2023.06.06.06.28.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Jun 2023 06:28:01 -0700 (PDT) Received-SPF: pass (google.com: domain of iii@linux.ibm.com designates 148.163.158.5 as permitted sender) client-ip=148.163.158.5; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=I1EVOlGh; spf=pass (google.com: domain of iii@linux.ibm.com designates 148.163.158.5 as permitted sender) smtp.mailfrom=iii@linux.ibm.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from pps.filterd (m0353724.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 356D897I023564; Tue, 6 Jun 2023 13:28:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=pp1; bh=QSslRd3bhx7Jukzkgn8/3M/h2QNk4OZQIUN5UZnhlNg=; b=I1EVOlGhQPeTCBmdk7wv/XE069LB9GfqESW4Y/YmK+bRKOWqRSujPtU0F45uYBFB72GA 6UL9RbP3GK2vpFnFiHTAXpwE8p+g36+XiDmgd8dGRsN3ofMKqq+uGENRZIEJ37u44eaD s9FLtplD+fbCa6/D5XPRqL4tiocLK3mwQl36Y6FxOu7aIAv+QuI+ngm/yPsQxPp8WANO /0ObE8A26bnpJ3Weo1l96DQkpy8cyat78lFib9qN2b/5VGyqszMkWiyWA1mehbKtLpcq tAyIdA+A/QcnXcOVy49snJ13Lq8AykHjaLoz1+54Ekx2xVw1+7v+YAzPkWpoJDvPEZkH fQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3r258sruug-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jun 2023 13:28:00 +0000 Received: from m0353724.ppops.net (m0353724.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 356DA1ua001556; Tue, 6 Jun 2023 13:27:59 GMT Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3r258srutu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jun 2023 13:27:59 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 356AcKWR000430; Tue, 6 Jun 2023 13:27:58 GMT Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228]) by ppma06ams.nl.ibm.com (PPS) with ESMTPS id 3qyxmyhyw9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jun 2023 13:27:57 +0000 Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com [10.20.54.101]) by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 356DRtkJ42533532 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jun 2023 13:27:55 GMT Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 95AA52004B; Tue, 6 Jun 2023 13:27:55 +0000 (GMT) Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 52E6320040; Tue, 6 Jun 2023 13:27:55 +0000 (GMT) Received: from heavy.boeblingen.de.ibm.com (unknown [9.155.209.184]) by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTP; Tue, 6 Jun 2023 13:27:55 +0000 (GMT) From: Ilya Leoshkevich To: =?UTF-8?q?Alex=20Benn=C3=A9e?= , Laurent Vivier , Peter Maydell , Richard Henderson , David Hildenbrand Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-devel@nongnu.org, qemu-arm@nongnu.org, qemu-s390x@nongnu.org, Ilya Leoshkevich Subject: [PATCH v3 7/8] docs: Document security implications of debugging Date: Tue, 6 Jun 2023 15:27:42 +0200 Message-Id: <20230606132743.1386003-8-iii@linux.ibm.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230606132743.1386003-1-iii@linux.ibm.com> References: <20230606132743.1386003-1-iii@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 9NBNCDzJm6dyhV1nAg98XPBJ4mOga95O X-Proofpoint-ORIG-GUID: O9HrfsrxXvaFdFN-7fySK_Ap_ux7KvLG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-06_08,2023-06-06_02,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 phishscore=0 spamscore=0 adultscore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2306060110 X-TUID: Mjh38Xeqt89u Now that the GDB stub explicitly implements reading host files (note that it was already possible by changing the emulated code to open and read those files), concerns may arise that it undermines security. Document the status quo, which is that the users are already responsible for securing the GDB connection themselves. Reviewed-by: Alex Bennée Signed-off-by: Ilya Leoshkevich --- docs/system/gdb.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst index 7d3718deefb..9906991b841 100644 --- a/docs/system/gdb.rst +++ b/docs/system/gdb.rst @@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command: ``maintenance packet Qqemu.PhyMemMode:0`` This will change it back to normal memory mode. + +Security considerations +======================= + +Connecting to the GDB socket allows running arbitrary code inside the guest; +in case of the TCG emulation, which is not considered a security boundary, this +also means running arbitrary code on the host. Additionally, when debugging +qemu-user, it allows directly downloading any file readable by QEMU from the +host. + +The GDB socket is not protected by authentication, authorization or encryption. +It is therefore a responsibility of the user to make sure that only authorized +clients can connect to it, e.g., by using a unix socket with proper +permissions, or by opening a TCP socket only on interfaces that are not +reachable by potential attackers. -- 2.40.1