From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:49025) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TE7zM-000786-9s for qemu-devel@nongnu.org; Tue, 18 Sep 2012 20:18:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TE7zL-00037s-61 for qemu-devel@nongnu.org; Tue, 18 Sep 2012 20:18:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:16031) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TE7zK-00037m-Tg for qemu-devel@nongnu.org; Tue, 18 Sep 2012 20:17:59 -0400 Date: Tue, 18 Sep 2012 21:18:45 -0300 From: Luiz Capitulino Message-ID: <20120918211845.5f4344b9@doriath.home> In-Reply-To: <87obl36nlx.fsf@codemonkey.ws> References: <20120917145622.5ba28e23@doriath.home> <5057D3F1.20005@cn.fujitsu.com> <50583D45.6080200@siemens.com> <878vc7cyek.fsf@blackfin.pond.sub.org> <50586C11.8070603@siemens.com> <87627btpu3.fsf@blackfin.pond.sub.org> <87obl36nlx.fsf@codemonkey.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: Jan Kiszka , Marcelo Tosatti , Eric Blake , Markus Armbruster , qemu-devel On Tue, 18 Sep 2012 16:13:30 -0500 Anthony Liguori wrote: > Markus Armbruster writes: > > > Jan Kiszka writes: > > > >>>>>> * The issues discussed in this email plus the fact that the guest > >>>>>> memory may be corrupted, and the guest may be in real-mode even > >>>>>> when paging is enabled > >>>>>> > >>>>> > >>>>> Yes, there are some limitations with this option. Jan said that he > >>>>> always use gdb to deal with vmcore, so he needs such information. > >>>> > >>>> The point is to overcome the focus on Linux-only dump processing tools. > >>> > >>> While I don't care for supporting alternate dump processing tools > >>> myself, I certainly don't mind supporting them, as long as the code > >>> satisfies basic safety and reliability requirements. > >>> > >>> This code doesn't, as far as I can tell. > >> > >> It works, thought not under all circumstances. > > > > I don't doubt it works often enough to be useful to somebody. But basic > > safety and reliability requirements are a bit more than that. They > > include "don't explode in ways a reasonable user can't be expected to > > foresee". I don't think a reasonable user can be expected to see that > > -p is safe only for trusted guests. > > We shipped the API, we're not removing it. Our compatibility isn't > "whatever libvirt is currently using". > > It's perfectly reasonable to ask to document the behavior of the > method. It's also a trivial patch to qapi-schema.json. I feel that documenting it is not enough. It would be fine to do that if the worst case was a bad dump file, but the worst case as the code stands right now will affect the host. > It's unreasonable to ask for an interface to be removed just because it > could be misused when it has a legimitate use-case. The point is not that it can be misused. The issue we're concerned about is that a malicious guest could cause qemu to allocate dozens of gigabytes of RAM. Jan suggested a fix that could make it less worse, which is to avoid allocating any memory while walking the guest page tables. However, it's not clear if this is hard to do and, more importantly, if it's backportable to -stable.