From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56501)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bL7AZ-0004eR-T8
	for qemu-devel@nongnu.org; Thu, 07 Jul 2016 07:08:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bL7AV-0007tl-FC
	for qemu-devel@nongnu.org; Thu, 07 Jul 2016 07:08:34 -0400
Received: from mail-wm0-x242.google.com ([2a00:1450:400c:c09::242]:34767)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1bL7AV-0007tb-8E
	for qemu-devel@nongnu.org; Thu, 07 Jul 2016 07:08:31 -0400
Received: by mail-wm0-x242.google.com with SMTP id 187so4643741wmz.1
	for <qemu-devel@nongnu.org>; Thu, 07 Jul 2016 04:08:31 -0700 (PDT)
Sender: Paolo Bonzini <paolo.bonzini@gmail.com>
References: <1467809017-25023-1-git-send-email-pbonzini@redhat.com>
	<1467809017-25023-2-git-send-email-pbonzini@redhat.com>
	<577D2629.80007@redhat.com> <87inwhsvv9.fsf@dusky.pond.sub.org>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <1b18bb10-3ed1-bd68-1f0a-e22ce6b075e0@redhat.com>
Date: Thu, 7 Jul 2016 13:08:27 +0200
MIME-Version: 1.0
In-Reply-To: <87inwhsvv9.fsf@dusky.pond.sub.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] qapi: change QmpInputVisitor to QSLIST
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>, Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org



On 07/07/2016 10:19, Markus Armbruster wrote:
> Actually, you should either prove that untrusted input still cannot make
> us allocated unbounded amounts of memory, or bring the limit right back.

This is not where untrusted input can be blocked from allocating
unbounded memory---that would be QmpOutputVisitor, which converts a
stream of visitor calls into a QObject.

The QmpInputVisitor's allocation depth is bounded by the number of
levels in the incoming QObject, so a QmpInputVisitor cannot allocate
more memory than whatever has been allocated already by QEMU.

In addition, QmpOutputVisitor allocates memory not just for the stack
but also a QObject for every *value*.  So you can make QmpOutputVisitor
allocate unbounded memory even with a single huge QDict.

Paolo