From: Michael Tokarev <mjt@tls.msk.ru>
To: Jamie Lokier <jamie@shareable.org>
Cc: Anthony Liguori <anthony@codemonkey.ws>,
Mark McLoughlin <markmc@redhat.com>,
Scott Tsai <scottt.tw@gmail.com>, kvm <kvm@vger.kernel.org>,
Dustin Kirkland <kirkland@canonical.com>,
Rusty Russell <rusty@rustcorp.com.au>,
qemu-devel <qemu-devel@nongnu.org>,
jdstrand@canonical.com,
Marc Deslauriers <marc.deslauriers@canonical.com>,
kees.cook@canonical.com
Subject: Re: [Qemu-devel] Re: [PATCH] whitelist host virtio networking features [was Re: qemu-kvm-0.11 regression, crashes on older ...]
Date: Mon, 02 Nov 2009 21:20:05 +0300 [thread overview]
Message-ID: <4AEF22D5.3040702@msgid.tls.msk.ru> (raw)
In-Reply-To: <20091102155228.GB9655@shareable.org>
Jamie Lokier wrote:
> Anthony Liguori wrote:
>> Mark McLoughlin wrote:
>>>> Canonical's Ubuntu Security Team will be filing a CVE on this issue,
>>>> since there is a bit of an attack vector here, and since
>>>> qemu-kvm-0.11.0 is generally available as an official release (and now
>>>> part of Ubuntu 9.10).
>>>>
>>>> Guests running linux <= 2.6.25 virtio-net (e.g Ubuntu 8.04 hardy) on
>>>> top of qemu-kvm-0.11.0 can be remotely crashed by a non-privileged
>>>> network user flooding an open port on the guest. The crash happens in
>>>> a manner that abruptly terminates the guest's execution (ie, without
>>>> shutting down cleanly). This may affect the guest filesystem's
>>>> general happiness.
>>>>
>>> IMHO, the CVE should be against the 2.6.25 virtio drivers - the bug is
>>> in the guest and the issue we're discussing here is just a hacky
>>> workaround for the guest bug.
>>>
>> Yeah, I'm inclined to agree. The guest generates bad data and we exit.
>> exit()ing is probably not wonderful but it's a well understood behavior.
>>
>> The fundamental bug here is in the guest, not in qemu.
>
> Guests should never be able to crash or terminate qemu, unless they
> call something that is intentionally an "exit qemu" hook for the
> guest. And even that should be possible to disable.
Well, if your buggy NIC driver does something wrong programming
the hardware (like the famous r8169 did - it allocated less
buffer space than telling to the card, so the card were happily
overwriting unrelated kernel memory with content received from
network), you will most likely get a machine which does not
respond to external events, a stuck machine, until you hit
"reset" button (provided there is one) or toggle power.
Or just a reboot, depending on what exactly you've hit.
If you want kvm to behave like this, wrap it into a trivial
shell script that restarts the guest.
/mjt
WARNING: multiple messages have this Message-ID (diff)
From: Michael Tokarev <mjt@tls.msk.ru>
To: Jamie Lokier <jamie@shareable.org>
Cc: Mark McLoughlin <markmc@redhat.com>,
Scott Tsai <scottt.tw@gmail.com>, kvm <kvm@vger.kernel.org>,
Dustin Kirkland <kirkland@canonical.com>,
Rusty Russell <rusty@rustcorp.com.au>,
qemu-devel <qemu-devel@nongnu.org>,
jdstrand@canonical.com,
Marc Deslauriers <marc.deslauriers@canonical.com>,
kees.cook@canonical.com
Subject: Re: [Qemu-devel] Re: [PATCH] whitelist host virtio networking features [was Re: qemu-kvm-0.11 regression, crashes on older ...]
Date: Mon, 02 Nov 2009 21:20:05 +0300 [thread overview]
Message-ID: <4AEF22D5.3040702@msgid.tls.msk.ru> (raw)
In-Reply-To: <20091102155228.GB9655@shareable.org>
Jamie Lokier wrote:
> Anthony Liguori wrote:
>> Mark McLoughlin wrote:
>>>> Canonical's Ubuntu Security Team will be filing a CVE on this issue,
>>>> since there is a bit of an attack vector here, and since
>>>> qemu-kvm-0.11.0 is generally available as an official release (and now
>>>> part of Ubuntu 9.10).
>>>>
>>>> Guests running linux <= 2.6.25 virtio-net (e.g Ubuntu 8.04 hardy) on
>>>> top of qemu-kvm-0.11.0 can be remotely crashed by a non-privileged
>>>> network user flooding an open port on the guest. The crash happens in
>>>> a manner that abruptly terminates the guest's execution (ie, without
>>>> shutting down cleanly). This may affect the guest filesystem's
>>>> general happiness.
>>>>
>>> IMHO, the CVE should be against the 2.6.25 virtio drivers - the bug is
>>> in the guest and the issue we're discussing here is just a hacky
>>> workaround for the guest bug.
>>>
>> Yeah, I'm inclined to agree. The guest generates bad data and we exit.
>> exit()ing is probably not wonderful but it's a well understood behavior.
>>
>> The fundamental bug here is in the guest, not in qemu.
>
> Guests should never be able to crash or terminate qemu, unless they
> call something that is intentionally an "exit qemu" hook for the
> guest. And even that should be possible to disable.
Well, if your buggy NIC driver does something wrong programming
the hardware (like the famous r8169 did - it allocated less
buffer space than telling to the card, so the card were happily
overwriting unrelated kernel memory with content received from
network), you will most likely get a machine which does not
respond to external events, a stuck machine, until you hit
"reset" button (provided there is one) or toggle power.
Or just a reboot, depending on what exactly you've hit.
If you want kvm to behave like this, wrap it into a trivial
shell script that restarts the guest.
/mjt
next prev parent reply other threads:[~2009-11-02 18:20 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-28 19:22 qemu-kvm-0.11 regression, crashes on older guests with virtio network Dustin Kirkland
2009-10-28 19:22 ` [Qemu-devel] " Dustin Kirkland
2009-10-28 19:29 ` Dustin Kirkland
2009-10-28 19:29 ` [Qemu-devel] " Dustin Kirkland
2009-10-29 3:12 ` [Qemu-devel] " Scott Tsai
2009-10-29 3:12 ` Scott Tsai
2009-10-29 9:16 ` Mark McLoughlin
2009-10-29 9:16 ` Mark McLoughlin
2009-10-29 12:00 ` Scott Tsai
2009-10-29 12:00 ` Scott Tsai
2009-10-29 12:16 ` Mark McLoughlin
2009-10-29 12:16 ` Mark McLoughlin
2009-10-29 12:21 ` Scott Tsai
2009-10-29 12:21 ` Scott Tsai
2009-10-29 14:11 ` Anthony Liguori
2009-10-29 14:11 ` Anthony Liguori
2009-10-29 14:25 ` Mark McLoughlin
2009-10-29 14:25 ` Mark McLoughlin
2009-10-29 14:34 ` Dustin Kirkland
2009-10-29 14:34 ` Dustin Kirkland
2009-10-29 14:46 ` Dustin Kirkland
2009-10-29 14:46 ` Dustin Kirkland
2009-10-29 14:50 ` Mark McLoughlin
2009-10-29 14:50 ` Mark McLoughlin
2009-10-29 14:39 ` Anthony Liguori
2009-10-29 14:39 ` Anthony Liguori
2009-10-29 14:48 ` Mark McLoughlin
2009-10-29 14:48 ` Mark McLoughlin
2009-10-29 15:01 ` Dustin Kirkland
2009-10-29 15:01 ` Dustin Kirkland
2009-10-29 15:01 ` Mark McLoughlin
2009-10-29 15:01 ` Mark McLoughlin
2009-10-29 15:13 ` Dustin Kirkland
2009-10-29 15:13 ` Dustin Kirkland
2009-10-29 15:15 ` Mark McLoughlin
2009-10-29 15:15 ` Mark McLoughlin
2009-10-29 15:34 ` [PATCH] whitelist host virtio networking features [was Re: qemu-kvm-0.11 regression, crashes on older ...] Dustin Kirkland
2009-10-29 15:34 ` [Qemu-devel] " Dustin Kirkland
2009-10-30 21:15 ` Dustin Kirkland
2009-10-30 21:15 ` [Qemu-devel] " Dustin Kirkland
2009-11-02 14:38 ` Mark McLoughlin
2009-11-02 14:38 ` [Qemu-devel] " Mark McLoughlin
2009-11-02 15:42 ` Anthony Liguori
2009-11-02 15:42 ` [Qemu-devel] " Anthony Liguori
2009-11-02 15:52 ` Jamie Lokier
2009-11-02 18:20 ` Michael Tokarev [this message]
2009-11-02 18:20 ` Michael Tokarev
2009-11-02 19:39 ` Jamie Lokier
2009-11-02 19:39 ` Jamie Lokier
2009-11-02 18:55 ` Anthony Liguori
2009-11-02 19:25 ` Dustin Kirkland
2009-11-02 19:25 ` Dustin Kirkland
2009-11-02 20:50 ` Anthony Liguori
2009-11-02 20:50 ` Anthony Liguori
2009-11-05 5:06 ` Jamie Lokier
2009-11-05 5:06 ` Jamie Lokier
2009-11-02 16:58 ` Dustin Kirkland
2009-11-02 16:58 ` [Qemu-devel] " Dustin Kirkland
2009-10-29 14:39 ` [Qemu-devel] qemu-kvm-0.11 regression, crashes on older guests with virtio network Dustin Kirkland
2009-10-29 14:39 ` Dustin Kirkland
2009-10-29 23:22 ` Scott Tsai
2009-10-29 23:22 ` Scott Tsai
2009-10-29 12:23 ` Michael S. Tsirkin
2009-10-29 12:23 ` [Qemu-devel] " Michael S. Tsirkin
2009-10-29 14:38 ` Avi Kivity
2009-10-29 14:38 ` [Qemu-devel] " Avi Kivity
2009-10-29 15:03 ` Michael S. Tsirkin
2009-10-29 15:03 ` [Qemu-devel] " Michael S. Tsirkin
2009-10-29 14:43 ` [Qemu-devel] " Dustin Kirkland
2009-10-29 14:43 ` Dustin Kirkland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AEF22D5.3040702@msgid.tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=anthony@codemonkey.ws \
--cc=jamie@shareable.org \
--cc=jdstrand@canonical.com \
--cc=kees.cook@canonical.com \
--cc=kirkland@canonical.com \
--cc=kvm@vger.kernel.org \
--cc=marc.deslauriers@canonical.com \
--cc=markmc@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rusty@rustcorp.com.au \
--cc=scottt.tw@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.