From: Luiz Capitulino <lcapitulino@redhat.com>
To: wency@cn.fujitsu.com
Cc: Marcelo Tosatti <mtosatti@redhat.com>,
Eric Blake <eblake@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>
Subject: [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it?
Date: Mon, 17 Sep 2012 14:56:22 -0300 [thread overview]
Message-ID: <20120917145622.5ba28e23@doriath.home> (raw)
Hi Wen,
We've re-reviewed the dump-guest-memory command and found some
possible issues with the -p option.
The main issue is that it seems possible for a malicious guest to set
page tables in a way that we allocate a MemoryMapping structure for
each possible PTE. If IA-32e paging is used, this could lead to the
allocation of dozens of gigabytes by qemu.
Of course that this is not expected for the regular case, where a
MemoryMapping allocation can be skipped for several reasons (I/O memory,
page not present, contiguous/in same range addresses etc), but the
point is what a malicious guest can do.
Another problem is that the -p option seems to be broken for SMP guests.
The problem is in qemu_get_guest_memory_mapping():
first_paging_enabled_cpu = find_paging_enabled_cpu(first_cpu);
if (first_paging_enabled_cpu) {
for (env = first_paging_enabled_cpu; env != NULL; env = env->next_cpu) {
ret = cpu_get_memory_mapping(list, env);
if (ret < 0) {
return -1;
}
}
return 0;
}
This looks for the first vCPU with paging enabled, and then assumes
that all the following vCPUs also have paging enabled. How does this
hold?
Assuming that this last issue is fixable (ie. we can make the -p
option work well with SMP guests), we should at least document that
-p can make QEMU allocates lots of memory and end up being killed
by the OS.
However, I also think that we should consider if having the -p
feature is really worth it. It's a complex feature and has a number
of limitations*. If libvirt doesn't use this, dropping it shouldn't
be a big deal (we can return an error when -p is used).
* The issues discussed in this email plus the fact that the guest
memory may be corrupted, and the guest may be in real-mode even
when paging is enabled
next reply other threads:[~2012-09-17 17:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-17 17:56 Luiz Capitulino [this message]
2012-09-17 18:08 ` [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it? Eric Blake
2012-09-18 1:52 ` Wen Congyang
2012-09-18 9:22 ` Jan Kiszka
2012-09-18 12:23 ` Markus Armbruster
2012-09-18 12:41 ` Jan Kiszka
2012-09-18 13:33 ` Luiz Capitulino
2012-09-18 16:51 ` Jan Kiszka
2012-09-18 13:36 ` Markus Armbruster
2012-09-18 21:13 ` Anthony Liguori
2012-09-19 0:18 ` Luiz Capitulino
2012-09-19 0:56 ` Anthony Liguori
2012-09-19 2:07 ` Wen Congyang
2012-09-19 2:26 ` HATAYAMA Daisuke
2012-09-19 13:23 ` Luiz Capitulino
2012-09-20 1:06 ` HATAYAMA Daisuke
2012-09-19 7:25 ` Markus Armbruster
2012-09-19 12:10 ` Anthony Liguori
2012-09-19 13:13 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120917145622.5ba28e23@doriath.home \
--to=lcapitulino@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=mtosatti@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=wency@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).