All of lore.kernel.org
 help / color / mirror / Atom feed
* XSA-152 follow-up: log levels for guest related messages
@ 2015-10-29 13:51 Jan Beulich
  2015-10-30 18:47 ` Andrew Cooper
  0 siblings, 1 reply; 2+ messages in thread
From: Jan Beulich @ 2015-10-29 13:51 UTC (permalink / raw)
  To: xen-devel

All,

in the course of auditing other code in the context of that
security issue my attention was caught by the various printk()s
issued by domain_crash() or around and alike. Within the security
team we discussed this and decided that a few not rate limited
messages per second (resulting from a possibly auto-restarting
guest) are not really a security issue, yet I still wanted to bring
this up for wider discussion: Would any such printk()s better use
a guest log level, thus making them rate limited by default?

Thanks for opinions,
Jan

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: XSA-152 follow-up: log levels for guest related messages
  2015-10-29 13:51 XSA-152 follow-up: log levels for guest related messages Jan Beulich
@ 2015-10-30 18:47 ` Andrew Cooper
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cooper @ 2015-10-30 18:47 UTC (permalink / raw)
  To: Jan Beulich, xen-devel

On 29/10/15 13:51, Jan Beulich wrote:
> All,
>
> in the course of auditing other code in the context of that
> security issue my attention was caught by the various printk()s
> issued by domain_crash() or around and alike. Within the security
> team we discussed this and decided that a few not rate limited
> messages per second (resulting from a possibly auto-restarting
> guest) are not really a security issue, yet I still wanted to bring
> this up for wider discussion: Would any such printk()s better use
> a guest log level, thus making them rate limited by default?

There are a number of actions which end up in a domain crash.  Some are
from guest actions, but some are from Xen failing to look after state
properly.

XenServer has always had domain ratelimiting.  If a VM crashes or
reboots within 5s of starting, it will be shut down as opposed to rebooting.

xl doesn't have any such behaviour.  As such, it is extraordinarily
difficult to stop a runaway triple-faulting domain with xl.  `xl
destroy` doesn't work as the domid changes frequently and domain name
appears and disappears, leading to TOCTOU races. The best I found was
locate the xl process used to create the domain originally and kill it,
then using xl destroy to clean up the remnants.

Putting domain_crash() printks into ratelimit by default runs the risk
of hiding information pertinent to debugging a crash.

IMO, if "rate of printk()s" is a concern, then the fix is to prevent the
guest wildly restarting, not to hide information.

~Andrew

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-10-30 18:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-29 13:51 XSA-152 follow-up: log levels for guest related messages Jan Beulich
2015-10-30 18:47 ` Andrew Cooper

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.