From: Greg Kurz <groug@kaod.org>
To: Eric Blake <eblake@redhat.com>
Cc: Li Qiang <liq3ea@gmail.com>, Li Qiang <liqiang6-s@360.cn>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/2] 9pfs: fix information leak in xattr read
Date: Thu, 13 Oct 2016 09:51:13 +0200 [thread overview]
Message-ID: <20161013095113.6626f46a@bahia> (raw)
In-Reply-To: <62702952-e2d8-fb96-0ed8-94729cd65c4c@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]
On Wed, 12 Oct 2016 15:49:46 -0500
Eric Blake <eblake@redhat.com> wrote:
> On 10/12/2016 08:23 AM, Greg Kurz wrote:
> >
> > But in fact, I'm afraid we have a more serious problem here... size
> > comes from the guest and could cause g_malloc() to abort if QEMU has
> > reached some RLIMIT... we need to call g_try_malloc0() and return
> > ENOMEM if the allocation fails.
>
> Even if it does not cause an ENOMEM failure right away, the guest can
> also use this to chew up lots of host resources. It may also be worth
> putting a reasonable cap at the maximum the guest can allocate, rather
> than just trying to malloc every possible size.
>
In the case of v9fs_xattrcreate(), the allocation of the xattr value only
happens if a fid with a specific id was created. This function alone cannot
be used to chew up memory, but it can certainly be used to crash QEMU if the
guest passes an insanely great value.
I fully agree that guest triggered allocations should be capped though,
and the more I look the more I realize the 9p code is fragile on this
matter... This will require more analysis and fixing, which goes far
beyond the scope of preventing an immediate crash.
Cheers.
--
Greg
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2016-10-13 7:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-09 5:25 [Qemu-devel] [PATCH 0/2] 9pfs: fix xattr issues Li Qiang
2016-10-09 5:26 ` [Qemu-devel] [PATCH 1/2] 9pfs: fix information leak in xattr read Li Qiang
2016-10-10 8:56 ` Greg Kurz
2016-10-12 13:23 ` Greg Kurz
2016-10-12 20:49 ` Eric Blake
2016-10-13 3:30 ` Li Qiang
2016-10-13 8:08 ` Greg Kurz
2016-10-13 7:51 ` Greg Kurz [this message]
2016-10-09 5:27 ` [Qemu-devel] [PATCH 2/2] 9pfs: fix memory leak about xattr value Li Qiang
2016-10-10 9:06 ` Greg Kurz
2016-10-10 9:15 ` Li Qiang
2016-10-10 10:21 ` Greg Kurz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161013095113.6626f46a@bahia \
--to=groug@kaod.org \
--cc=eblake@redhat.com \
--cc=liq3ea@gmail.com \
--cc=liqiang6-s@360.cn \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).