All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, "Thomas Huth" <thuth@redhat.com>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	"Cédric Le Goater" <clg@redhat.com>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	"Mauro Matteo Cascella" <mcascell@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@linaro.org>,
	"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>
Subject: Re: [PATCH] docs: outline some guidelines for security classification
Date: Thu, 16 Jul 2026 16:47:48 -0400	[thread overview]
Message-ID: <20260716164043-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20260707105927.2776822-1-berrange@redhat.com>

On Tue, Jul 07, 2026 at 11:59:27AM +0100, Daniel P. Berrangé wrote:
> +* **memory allocation bounds**. There are many ways in which a QEMU
> +  process can legitimately consume an amount of memory that is
> +  significantly larger than the assigned guest RAM. QEMU's worst
> +  case memory usage should be considered effectively unbounded.

This really is a bug we need to fix at some point.

> As
> +  such the QEMU deployment on the host should account for the
> +  possibility of large memory peaks and apply countermeasures to
> +  provide continuity of host operations.


Well it does not look like existing management stacks do much of this,
perhaps because when we say qemu memory is unbounded
the result is you can't limit memory using cgroups without risk of
qemu dying on oom.


> It is typical for the Linux
> +  OOM killer to reap the process triggering host memory overcommit
> +  in the case of exccessive usage, offering a degree of protection.

Yes but what degree?
At least on my box, it seems to kill firefox at about 50% of time (

> +  As such, bugs which can lead to excessive/unbounded memory allocations
> +  will usually not be classified as security flaws, but should be
> +  fixed as hardening bugs.
>

should we classify guest driven memory leaks and guest driven
memory spikes differently?


> +* **degraded guest behaviour**. There are a set of bugs which can
> +  lead guest hardware devices to misbehave. For example, a flawed
> +  virtual IOMMU operation may not offer the guest device isolation
> +  that would otherwise be expected. If a guest triggered exploit
> +  requires kernel privileges (or root account access), and leads
> +  to sub-optimal behaviour of the virtual device this is considered
> +  a self inflicted service degradation. These will **not** be
> +  treated as security flaws, at most hardening bugs. If triggernig
> +  the code path can be done by an unprivileged guest OS account,
> +  this may justify handling as a security bug.
> +
> +* **nested virtualization**. The scope for nested virtualization
> +  is to prevent a level 2 guest from breaking out into a level
> +  1 guest. As noted above, a number of scenarios exclude security
> +  handling for flaws only exploitable by the guest kernel / root
> +  account with affect the guest's own service/availability. In the
> +  context of nested virtualization with PCI device assignment, it
> +  may may be possible for a level 2 guest kernel to trigger flaws
> +  that affect the level 0 QEMU process. While these bugs should be
> +  fixed, they will not be triaged as security flaws at this time.
> +
> +* **low severity impact**. As a catch all rule, issues which
> +  are judged to have a "low" severity impact on the system will
> +  usually not justify handling as security bugs, nor assignment
> +  of CVEs. They will be fixed as routine bugs when time allows.
> +
>  Architecture
>  ------------
>  
> -- 
> 2.55.0



      parent reply	other threads:[~2026-07-16 20:48 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07 10:59 [PATCH] docs: outline some guidelines for security classification Daniel P. Berrangé
2026-07-07 12:16 ` Thomas Huth
2026-07-07 12:20 ` Cédric Le Goater
2026-07-07 12:35 ` John Levon
2026-07-07 17:11   ` Daniel P. Berrangé
2026-07-07 12:43 ` Marc-André Lureau
2026-07-07 13:43   ` Michael S. Tsirkin
2026-07-07 16:35   ` Daniel P. Berrangé
2026-07-16 14:08     ` Fabiano Rosas
2026-07-16 15:27       ` Daniel P. Berrangé
2026-07-16 18:34         ` Fabiano Rosas
2026-07-16 15:40       ` Peter Xu
2026-07-16 18:51         ` Fabiano Rosas
2026-07-16 19:56           ` Peter Xu
2026-07-07 16:28 ` Mauro Matteo Cascella
2026-07-07 16:29   ` Daniel P. Berrangé
2026-07-16 20:47 ` Michael S. Tsirkin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260716164043-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=alex.bennee@linaro.org \
    --cc=berrange@redhat.com \
    --cc=clg@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=mcascell@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=philmd@linaro.org \
    --cc=pierrick.bouvier@oss.qualcomm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.