Re: [Qemu-devel] [PATCH 17/21] virtio-channel: parse qga stream for VMDUMP_INFO event

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com,
	armbru@redhat.com, anderson@redhat.com, pbonzini@redhat.com,
	lersek@redhat.com
Subject: Re: [Qemu-devel] [PATCH 17/21] virtio-channel: parse qga stream for VMDUMP_INFO event
Date: Wed, 5 Apr 2017 17:12:56 +0100	[thread overview]
Message-ID: <20170405161256.GA25291@redhat.com> (raw)
In-Reply-To: <20170311132256.22951-18-marcandre.lureau@redhat.com>

On Sat, Mar 11, 2017 at 05:22:52PM +0400, Marc-André Lureau wrote:
> On virtio channel "org.qemu.guest_agent.0", parse the json stream until
> the VMDUMP_INFO is received and retrieve the dump details.
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
>  include/sysemu/dump-info.h | 15 +++++++++++++
>  dump.c                     |  3 +++
>  hw/char/virtio-console.c   | 53 ++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 71 insertions(+)
>  create mode 100644 include/sysemu/dump-info.h
> 
> diff --git a/include/sysemu/dump-info.h b/include/sysemu/dump-info.h
> new file mode 100644
> index 0000000000..fb1ddff9af
> --- /dev/null
> +++ b/include/sysemu/dump-info.h
> @@ -0,0 +1,15 @@
> +#ifndef DUMP_INFO_H
> +#define DUMP_INFO_H
> +
> +typedef struct DumpInfo {
> +    bool received;
> +    bool has_phys_base;
> +    uint64_t phys_base;
> +    bool has_text;
> +    uint64_t text;
> +    char *vmcoreinfo;
> +} DumpInfo;
> +
> +extern DumpInfo dump_info;
> +
> +#endif /* DUMP_INFO_H */
> diff --git a/dump.c b/dump.c
> index f7b80d856b..68b406459e 100644
> --- a/dump.c
> +++ b/dump.c
> @@ -20,6 +20,7 @@
>  #include "monitor/monitor.h"
>  #include "sysemu/kvm.h"
>  #include "sysemu/dump.h"
> +#include "sysemu/dump-info.h"
>  #include "sysemu/sysemu.h"
>  #include "sysemu/memory_mapping.h"
>  #include "sysemu/cpus.h"
> @@ -38,6 +39,8 @@
>  #define ELF_MACHINE_UNAME "Unknown"
>  #endif
>  
> +DumpInfo dump_info = { 0, };
> +
>  uint16_t cpu_to_dump16(DumpState *s, uint16_t val)
>  {
>      if (s->dump_info.d_endian == ELFDATA2LSB) {
> diff --git a/hw/char/virtio-console.c b/hw/char/virtio-console.c
> index 798d9b69fd..796b7c85aa 100644
> --- a/hw/char/virtio-console.c
> +++ b/hw/char/virtio-console.c
> @@ -16,6 +16,9 @@
>  #include "trace.h"
>  #include "hw/virtio/virtio-serial.h"
>  #include "qapi-event.h"
> +#include "qapi/qmp/json-streamer.h"
> +#include "qapi/qmp/json-parser.h"
> +#include "sysemu/dump-info.h"
>  
>  #define TYPE_VIRTIO_CONSOLE_SERIAL_PORT "virtserialport"
>  #define VIRTIO_CONSOLE(obj) \
> @@ -26,6 +29,7 @@ typedef struct VirtConsole {
>  
>      CharBackend chr;
>      guint watch;
> +    JSONMessageParser parser;
>  } VirtConsole;
>  
>  /*
> @@ -49,6 +53,11 @@ static ssize_t flush_buf(VirtIOSerialPort *port,
>      VirtConsole *vcon = VIRTIO_CONSOLE(port);
>      ssize_t ret;
>  
> +    if (vcon->parser.emit &&
> +        !dump_info.received) {
> +        json_message_parser_feed(&vcon->parser, (const char *)buf, len);
> +    }

[snip]

so we just continually feed data into the json parser until we see the
event we care about....

What kind of denial of service protection does our JSON parser have. Now
that QEMU is directly parsing JSON from QEMU guest agent, it is exposed
to malicious attack by the guest agent.

eg what happens if the 'vmcoreinfo' string in the JSON doc received from
the guest ends up being 10GB in size ? Is that going to cause our JSON
parser to allocate QString which is 10GB in size which we'll further
try to strdup just below too...


> @@ -163,6 +177,37 @@ static void chr_event(void *opaque, int event)
>      }
>  }
>  
> +
> +static void qga_message(JSONMessageParser *parser, GQueue *tokens)
> +{
> +    /* VirtConsole *vcon = container_of(parser, VirtConsole, parser); */
> +    QObject *obj;
> +    QDict *msg, *data;
> +    const char *event;
> +
> +    obj = json_parser_parse(tokens, NULL);
> +    msg = qobject_to_qdict(obj);
> +    if (!msg) {
> +        error_report("JSON parsing failed");
> +        return;
> +    }
> +
> +    event = qdict_get_try_str(msg, "event");
> +    data = qdict_get_qdict(msg, "data");
> +    if (event && g_str_equal(event, "VMDUMP_INFO") && data) {
> +        dump_info.received = true;
> +        if (qdict_haskey(data, "phys-base")) {
> +            dump_info.has_phys_base = true;
> +            dump_info.phys_base = qdict_get_try_uint(data, "phys-base", 0);
> +        }
> +        if (qdict_haskey(data, "text")) {
> +            dump_info.has_text = true;
> +            dump_info.text = qdict_get_try_uint(data, "text", 0);
> +        }
> +        dump_info.vmcoreinfo = g_strdup(qdict_get_try_str(data, "vmcoreinfo"));
> +    }
> +}


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

next prev parent reply	other threads:[~2017-04-05 16:13 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-11 13:22 [Qemu-devel] [PATCH 00/21] WIP: dump: add kaslr support (for after 2.9) Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 01/21] qapi: add info comment for generated types Marc-André Lureau
2017-03-13  7:01   ` Markus Armbruster
2017-03-11 13:22 ` [Qemu-devel] [PATCH 02/21] pci-host: use more specific type names Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 03/21] object: fix potential leak in getters Marc-André Lureau
2017-03-21 14:43   ` Eric Blake
2017-04-23 17:16   ` Michael Tokarev
2017-03-11 13:22 ` [Qemu-devel] [PATCH 04/21] qobject: add quint type Marc-André Lureau
2017-03-11 20:17   ` Eric Blake
2017-03-13  7:15     ` Markus Armbruster
2017-03-13 13:21       ` Eric Blake
2017-03-13 13:28         ` Marc-André Lureau
2017-03-21 12:41           ` Marc-André Lureau
2017-03-21 16:49             ` Markus Armbruster
2017-03-21 17:06               ` Eric Blake
2017-03-21 17:46                 ` Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 05/21] qapi: update the qobject visitor to use QUInt Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 06/21] json: learn to parse uint64 numbers Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 07/21] object: add uint property setter/getter Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 08/21] qdev: use int and uint properties Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 09/21] qdev: use appropriate type Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 10/21] Use uint property getter/setter where appropriate Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 11/21] qdict: learn to lookup quint Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 12/21] test-qga: drop everything until guest-sync Marc-André Lureau
2017-03-11 20:07   ` Eric Blake
2017-03-11 13:22 ` [Qemu-devel] [PATCH 13/21] qga: report error on keyfile dump error Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 14/21] qga: add and populate VMDumpInfo Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 15/21] qga: register event emit function Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 16/21] qga: emit VMDUMP_INFO event Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 17/21] virtio-channel: parse qga stream for " Marc-André Lureau
2017-04-05 16:12   ` Daniel P. Berrange [this message]
     [not found]     ` <CAJ+F1C+2x=0pZxMz8FgxbkQD59zM2pngHKv7AT-hv-KA6xjN+Q@mail.gmail.com>
2017-04-05 16:38       ` Marc-André Lureau
2017-04-05 17:06     ` Eric Blake
2017-04-05 17:39       ` Daniel P. Berrange
2017-03-11 13:22 ` [Qemu-devel] [PATCH 18/21] dump: use qga VMDUMP_INFO for ELF dump Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 19/21] kdump: write vmcoreinfo in header Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 20/21] scripts/dump-guest-memory.py: fix int128_get64 on recent gcc Marc-André Lureau
2017-03-11 13:22 ` [Qemu-devel] [PATCH 21/21] scripts/dump-guest-memory.py: add VMCOREINFO Marc-André Lureau
2017-03-11 13:47 ` [Qemu-devel] [PATCH 00/21] WIP: dump: add kaslr support (for after 2.9) no-reply
2017-03-11 14:31 ` Dave Anderson
2017-04-05 16:01   ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170405161256.GA25291@redhat.com \
    --to=berrange@redhat.com \
    --cc=anderson@redhat.com \
    --cc=armbru@redhat.com \
    --cc=lersek@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).