From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N4zD4-0000tQ-US for qemu-devel@nongnu.org; Mon, 02 Nov 2009 10:52:46 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N4zD0-0000sy-Au for qemu-devel@nongnu.org; Mon, 02 Nov 2009 10:52:46 -0500 Received: from [199.232.76.173] (port=44032 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N4zD0-0000sv-7T for qemu-devel@nongnu.org; Mon, 02 Nov 2009 10:52:42 -0500 Received: from mail2.shareable.org ([80.68.89.115]:48034) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1N4zCz-0008Kt-Rz for qemu-devel@nongnu.org; Mon, 02 Nov 2009 10:52:42 -0500 Date: Mon, 2 Nov 2009 15:52:28 +0000 From: Jamie Lokier Subject: Re: [Qemu-devel] Re: [PATCH] whitelist host virtio networking features [was Re: qemu-kvm-0.11 regression, crashes on older ...] Message-ID: <20091102155228.GB9655@shareable.org> References: <1256815818-sup-7805@xpc65.scottt> <1256818566.10825.58.camel@blaa> <4AE9A299.5060003@codemonkey.ws> <1256826351.10825.69.camel@blaa> <4AE9A90F.1060108@codemonkey.ws> <1256827719.10825.75.camel@blaa> <1256830455.25064.155.camel@x200> <1257172722.5075.7.camel@blaa> <4AEEFDCE.1000006@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4AEEFDCE.1000006@codemonkey.ws> List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: Mark McLoughlin , Scott Tsai , kvm , Dustin Kirkland , Rusty Russell , qemu-devel , jdstrand@canonical.com, Marc Deslauriers , kees.cook@canonical.com Anthony Liguori wrote: > Mark McLoughlin wrote: > >>Canonical's Ubuntu Security Team will be filing a CVE on this issue, > >>since there is a bit of an attack vector here, and since > >>qemu-kvm-0.11.0 is generally available as an official release (and now > >>part of Ubuntu 9.10). > >> > >>Guests running linux <= 2.6.25 virtio-net (e.g Ubuntu 8.04 hardy) on > >>top of qemu-kvm-0.11.0 can be remotely crashed by a non-privileged > >>network user flooding an open port on the guest. The crash happens in > >>a manner that abruptly terminates the guest's execution (ie, without > >>shutting down cleanly). This may affect the guest filesystem's > >>general happiness. > >> > > > >IMHO, the CVE should be against the 2.6.25 virtio drivers - the bug is > >in the guest and the issue we're discussing here is just a hacky > >workaround for the guest bug. > > > > Yeah, I'm inclined to agree. The guest generates bad data and we exit. > exit()ing is probably not wonderful but it's a well understood behavior. > > The fundamental bug here is in the guest, not in qemu. Guests should never be able to crash or terminate qemu, unless they call something that is intentionally an "exit qemu" hook for the guest. And even that should be possible to disable. What happens if the guest is running malicious code? What if it's been hacked? The worst that should happen is the guest behaves like a hacked machine. What about running old machine images? One of the major uses I've seen of KVM is for running old machine images - images which are not to be updated, so that they continue to have the same behaviour. I agree that the 2.6.25 virtio drivers have a bug and ought to be fixed, but a qemu which abruptly terminates is never good. -- Jamie