From: Fabiano Rosas <farosas@suse.de>
To: Peter Xu <peterx@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-devel@nongnu.org, "Thomas Huth" <thuth@redhat.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Cédric Le Goater" <clg@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>
Subject: Re: [PATCH] docs: outline some guidelines for security classification
Date: Thu, 16 Jul 2026 21:21:53 -0300 [thread overview]
Message-ID: <87a4rq4g9q.fsf@suse.de> (raw)
In-Reply-To: <alk3U6P_W0z-XNF1@x1.local>
Peter Xu <peterx@redhat.com> writes:
> On Thu, Jul 16, 2026 at 03:51:31PM -0300, Fabiano Rosas wrote:
>> > I wonder if we can simply above 5 points into something simpler, or skip
>> > for now? To me, what is out of scope is more valuable to be put into doc,
>> > because I bet 99% if not all of existing "security issues" on migration in
>> > past few months fall into it.. so it saves huge time already for triaging.
>>
>> I want to reduce the guesswork both when reporting issues and when
>> triaging. People tend to sit around and imagine infinite scenarios, it's
>> not productive.
>>
>> This section is so we can point at it and ask for some indication of any
>> of the points above. Otherwise we'll get the random bug report saying
>> that weird behavior was achieved, therefore CVE. These are the
>> situations I could think of that would obviously be worthy of further
>> consideration.
>>
>> Could you expand on why you think this is not worth having? I don't
>> think I understand it.
>
> I didn't expect to point to a bug report into "IN SCOPE" category. IMHO,
> the major use case for the doc is to point a bug report into "OUT OF SCOPE"
> category.. then we can easily justify an issue to be not a CVE candidate.
>
> When it is a real security issue, we likely need to evaluate it case by
> case, but first it needs to not directly fall int OUT OF SCOPE first.
>
> I think it could be that I hardly have any real experience with a legit
> security report versus migration yet, but we have richer experience on
> "what we don't think is a security issue, but only a bug" thanks to AI.. so
> NOT IN SCOPE is easier to list to me than IN SCOPE ones.
>
I see.
> Neither do I have very clear idea after reading the five examples given.
>
> To make it clearer on what I meant, I can start by asking some questions on
> the five examples listed IN SCOPE. You don't need to answer all, or
> maybe.. no need to answer any of them, just to show my confusions on
> reading the examples (hence the request of simplifications, or removal, at
> first version).
>
Thanks, let's see if I can defend myself! =)
>> 1) Privilege escalation from the guest operating system into the
>> destination QEMU process or host.
>
> Do you mean any form of guest operation to cause privilege escalation?
> Obviously, it must be about during a live migration happening, otherwise I
> don't see how it is relevant to migration, but then is this only talking
> about a postcopy use case (where dest QEMU has vCPU running)? After all,
> precopy migration guest operations all done on source, so if there's any
> privilege escalation, it needs to happen on source host first.
>
> Also, I am a bit lost on why this is special for migration. Such issue can
> happen on any host without migration. It's a bit unclear to me.
>
I mean when the guest OS does some trickery that gets propagated to the
destination machine via migration and the person controlling that guest
gets privileges on the QEMU process on the destination. Injecting a
payload of some sort, or setting up a device to allow later
exploitation.
>>
>> 2) Tampering or exfiltration of migration stream data by a third party
>> at a lower privilege level than either QEMU processes involved in the
>> migration.
>
> If we have the ASSUMPTION describing migration stream is secure, why do we
> worry about third party hijacking migration stream? Someone already
> breached?
>
We assume the stream is secure, but there could still be a bug in the
migration code that allows a thirdy party to read the stream. As for
"tampering", you're right that's probably already covered by the
assumptions we made earlier.
>>
>> 3) Termination of the source QEMU process by source virtual machine
>> guest userspace, including by forcing host OS resource constraints to
>> be reached.
>
> This is also not clear on how it correlates to migration, because IIUC this
> can also happen without migration. Maybe it's trying to catch the cases
> where it only can be attacked during migration?
>
Yes, say the userspace inside the guest does something that causes the
migration code to crash when qmp_migrate is issued, for instance. I'm
not saying it's a simple thing to happen, just that IF it happens, then
we have already reasoned about it and agreed that it has the potential
to become a CVE.
> What is "guest userspace"? Is that the userspace of the guest OS?
>
Yes, assuming the OS itself already has ways to shoot itself in the foot
by tampering with devices. But the userspace is in another layer, it
could attempt to do bad things to the OS.
>>
>> 4) Other tampering or exfiltration of data from the source QEMU process
>> if reached from migration code or migration stream manipulation.
>
> This is a very generic statement to me, even though I think it's correct..
> Say, how stream can be manipulated with TLS encryption? If it's
> manipulated from the guest, is the guest data being tampered on its own or
> some other data?
>
Right, this is a catchall meaning: even with all of the above, if
someone finds a way to do this, the previous points do not invalidate
this find.
I guess I wrote all of these with a sense of providing some assurance
that even though we'll possibly be rejecting various bugs as
non-security related, there are still clear situations where there's a
security implication and we're aware of it.
>>
>> 5) Causing source QEMU process to enter a state from which migration is
>> not possible permanently.
>
> This is a very valid one and clear to understand. However I don't know if
> any of such would really happen, though.
I don't think it matters if it would happen. If it ever does, we think
it's bad enough that it will be considered for a CVE. "Considered", as
opposed to just filing it as a normal bug. But the analysis could still
result in nothing and we'd treat it as just a bug anyway.
> It's easier to happen to me when e.g. we leaked memory in QMP handlers
> which may cause DoS rather than "cannot migrate anymore"..
>
What I'm talking about in this particular point is about putting an
admin in a situation where they can only resort to shutting down the
virtual machine. This is a counterpart to the "failed migrations are
normal" assumption up above; failed migrations can be easily worked
around, but permanent failure cannot.
> Also, if it's only the VM itself got affected (say, attacker from guest
> within causing its VM not migratable), then the damage it can cause is very
> limited too. I'm not 100% sure I know how severe is such, and whether it's
> CVE.
Fair point, maybe it's not super relevant indeed. Note I'm not trying to
say that these items will become CVEs, just that if someone can put an
argument that they can happen, then it's something we'll gladly look
into.
---
See if my answers clarify the situation a bit. It's ok if you still want
to remove the text after reading them. What's more important is that we
hash these things out so we're all in the same page.
Thanks for taking the time to write down your thoughts.
next prev parent reply other threads:[~2026-07-17 0:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 10:59 [PATCH] docs: outline some guidelines for security classification Daniel P. Berrangé
2026-07-07 12:16 ` Thomas Huth
2026-07-07 12:20 ` Cédric Le Goater
2026-07-07 12:35 ` John Levon
2026-07-07 17:11 ` Daniel P. Berrangé
2026-07-07 12:43 ` Marc-André Lureau
2026-07-07 13:43 ` Michael S. Tsirkin
2026-07-07 16:35 ` Daniel P. Berrangé
2026-07-16 14:08 ` Fabiano Rosas
2026-07-16 15:27 ` Daniel P. Berrangé
2026-07-16 18:34 ` Fabiano Rosas
2026-07-16 15:40 ` Peter Xu
2026-07-16 18:51 ` Fabiano Rosas
2026-07-16 19:56 ` Peter Xu
2026-07-17 0:21 ` Fabiano Rosas [this message]
2026-07-07 16:28 ` Mauro Matteo Cascella
2026-07-07 16:29 ` Daniel P. Berrangé
2026-07-16 20:47 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a4rq4g9q.fsf@suse.de \
--to=farosas@suse.de \
--cc=alex.bennee@linaro.org \
--cc=berrange@redhat.com \
--cc=clg@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.