From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P . Berrangé" <berrange@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Michael Roth" <mdroth@linux.vnet.ibm.com>,
"Fakhri Zulkifli" <mohdfakhrizulkifli@gmail.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
"Sameeh Jubran" <sjubran@redhat.com>,
"Basil Salman" <basil@daynix.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Dietmar Maurer" <dietmar@proxmox.com>
Subject: [PATCH-for-5.0 v2 4/4] qga: Restrict guest-file-read count to 10 MB to avoid crashes
Date: Tue, 31 Mar 2020 16:06:38 +0200 [thread overview]
Message-ID: <20200331140638.16464-5-philmd@redhat.com> (raw)
In-Reply-To: <20200331140638.16464-1-philmd@redhat.com>
On https://www.mail-archive.com/qemu-devel@nongnu.org/msg693176.html
Daniel Berrangé commented:
The QEMU guest agent protocol is not sensible way to access huge
files inside the guest. It requires the inefficient process of
reading the entire data into memory than duplicating it again in
base64 format, and then copying it again in the JSON serializer /
monitor code.
For arbitrary general purpose file access, especially for large
files, use a real file transfer program or use a network block
device, not the QEMU guest agent.
To avoid bug reports as BZ#1594054, follow his suggestion to put a
low, hard limit on "count" in the guest agent QAPI schema, and don't
allow count to be larger than 10 MB.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1594054
Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
qga/qapi-schema.json | 6 ++++--
qga/commands.c | 6 +++++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index f6fcb59f34..7758d9daf8 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -266,11 +266,13 @@
##
# @guest-file-read:
#
-# Read from an open file in the guest. Data will be base64-encoded
+# Read from an open file in the guest. Data will be base64-encoded.
+# As this command is just for limited, ad-hoc debugging, such as log
+# file access, the number of bytes to read is limited to 10 MB.
#
# @handle: filehandle returned by guest-file-open
#
-# @count: maximum number of bytes to read (default is 4KB)
+# @count: maximum number of bytes to read (default is 4KB, maximum is 10MB)
#
# Returns: @GuestFileRead on success.
#
diff --git a/qga/commands.c b/qga/commands.c
index 8ee1244ebb..c130d1b0f5 100644
--- a/qga/commands.c
+++ b/qga/commands.c
@@ -11,6 +11,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/units.h"
#include "guest-agent-core.h"
#include "qga-qapi-commands.h"
#include "qapi/error.h"
@@ -18,11 +19,14 @@
#include "qemu/base64.h"
#include "qemu/cutils.h"
#include "qemu/atomic.h"
+#include "commands-common.h"
/* Maximum captured guest-exec out_data/err_data - 16MB */
#define GUEST_EXEC_MAX_OUTPUT (16*1024*1024)
/* Allocation and I/O buffer for reading guest-exec out_data/err_data - 4KB */
#define GUEST_EXEC_IO_SIZE (4*1024)
+/* Maximum file size to read - 10MB */
+#define GUEST_FILE_READ_COUNT_MAX (10 * MiB)
/* Note: in some situations, like with the fsfreeze, logging may be
* temporarilly disabled. if it is necessary that a command be able
@@ -559,7 +563,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
}
if (!has_count) {
count = QGA_READ_COUNT_DEFAULT;
- } else if (count < 0 || count >= UINT32_MAX) {
+ } else if (count < 0 || count > GUEST_FILE_READ_COUNT_MAX) {
error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
count);
return NULL;
--
2.21.1
next prev parent reply other threads:[~2020-03-31 14:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 14:06 [PATCH-for-5.0 v2 0/4] qga: Restrict guest-file-read count to 10 MB to avoid crashes Philippe Mathieu-Daudé
2020-03-31 14:06 ` [PATCH-for-5.0 v2 1/4] Revert "prevent crash when executing guest-file-read with large count" Philippe Mathieu-Daudé
2020-03-31 14:12 ` Daniel P. Berrangé
2020-03-31 14:15 ` Philippe Mathieu-Daudé
2020-03-31 14:06 ` [PATCH-for-5.0 v2 2/4] qga: Extract guest_file_handle_find() to commands-common.h Philippe Mathieu-Daudé
2020-03-31 14:06 ` [PATCH-for-5.0 v2 3/4] qga: Extract qmp_guest_file_read() to common commands.c Philippe Mathieu-Daudé
2020-03-31 14:06 ` Philippe Mathieu-Daudé [this message]
2020-03-31 14:15 ` [PATCH-for-5.0 v2 4/4] qga: Restrict guest-file-read count to 10 MB to avoid crashes Daniel P. Berrangé
2020-03-31 14:17 ` Philippe Mathieu-Daudé
2020-04-02 13:09 ` Markus Armbruster
2020-04-03 9:23 ` Daniel P. Berrangé
2020-04-03 12:07 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200331140638.16464-5-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=armbru@redhat.com \
--cc=basil@daynix.com \
--cc=berrange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=dietmar@proxmox.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mohdfakhrizulkifli@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=sjubran@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).