From: "Alex Bennée" <alex.bennee@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Leonardo Bras" <leobras@redhat.com>,
"Laurent Vivier" <laurent@vivier.eu>,
"Peter Xu" <peterx@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Beraldo Leal" <bleal@redhat.com>,
"Radoslaw Biernacki" <rad@semihalf.com>,
"Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Yanan Wang" <wangyanan55@huawei.com>,
"Riku Voipio" <riku.voipio@iki.fi>,
"Wainer dos Santos Moschetta" <wainersm@redhat.com>,
"Mahmoud Mandour" <ma.mandourr@gmail.com>,
"Alexandre Iooss" <erdnaxe@crans.org>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Thomas Huth" <thuth@redhat.com>,
"Laurent Vivier" <lvivier@redhat.com>,
"Bin Meng" <bmeng.cn@gmail.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Bandan Das" <bsd@redhat.com>, "Cleber Rosa" <crosa@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Leif Lindholm" <quic_llindhol@quicinc.com>,
"Marcin Juszkiewicz" <marcin.juszkiewicz@linaro.org>,
qemu-arm@nongnu.org, "Darren Kenny" <darren.kenny@oracle.com>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Ilya Leoshkevich" <iii@linux.ibm.com>
Subject: [PATCH v4 37/38] docs: Document security implications of debugging
Date: Fri, 30 Jun 2023 19:04:22 +0100 [thread overview]
Message-ID: <20230630180423.558337-38-alex.bennee@linaro.org> (raw)
In-Reply-To: <20230630180423.558337-1-alex.bennee@linaro.org>
From: Ilya Leoshkevich <iii@linux.ibm.com>
Now that the GDB stub explicitly implements reading host files (note
that it was already possible by changing the emulated code to open and
read those files), concerns may arise that it undermines security.
Document the status quo, which is that the users are already
responsible for securing the GDB connection themselves.
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20230627160943.2956928-36-alex.bennee@linaro.org>
Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
---
docs/system/gdb.rst | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst
index 7d3718deef..9906991b84 100644
--- a/docs/system/gdb.rst
+++ b/docs/system/gdb.rst
@@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command:
``maintenance packet Qqemu.PhyMemMode:0``
This will change it back to normal memory mode.
+
+Security considerations
+=======================
+
+Connecting to the GDB socket allows running arbitrary code inside the guest;
+in case of the TCG emulation, which is not considered a security boundary, this
+also means running arbitrary code on the host. Additionally, when debugging
+qemu-user, it allows directly downloading any file readable by QEMU from the
+host.
+
+The GDB socket is not protected by authentication, authorization or encryption.
+It is therefore a responsibility of the user to make sure that only authorized
+clients can connect to it, e.g., by using a unix socket with proper
+permissions, or by opening a TCP socket only on interfaces that are not
+reachable by potential attackers.
--
2.39.2
next prev parent reply other threads:[~2023-06-30 18:17 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-30 18:03 [PATCH v4 00/38] maintainer omnibus: testing, fuzz, plugins, documentation, gdbstub (pre-PR) Alex Bennée
2023-06-30 18:03 ` [PATCH v4 01/38] gitlab: explicit set artifacts publishing criteria Alex Bennée
2023-06-30 18:03 ` [PATCH v4 02/38] gitlab: ensure coverage job also publishes meson log Alex Bennée
2023-06-30 18:03 ` [PATCH v4 03/38] gitlab: reduce testing scope of check-gcov Alex Bennée
2023-06-30 18:03 ` [PATCH v4 04/38] docs/devel: remind developers to run CI container pipeline when updating images Alex Bennée
2023-06-30 18:03 ` [PATCH v4 05/38] tests/tcg: add mechanism to handle plugin arguments Alex Bennée
2023-06-30 18:03 ` [PATCH v4 06/38] qemu-keymap: properly check return from xkb_keymap_mod_get_index Alex Bennée
2023-06-30 18:03 ` [PATCH v4 07/38] scripts/oss-fuzz: add a suppression for keymap Alex Bennée
2023-06-30 18:03 ` [PATCH v4 08/38] tests/qtests: clean-up and fix leak in generic_fuzz Alex Bennée
2023-07-03 8:00 ` Richard Henderson
2023-06-30 18:03 ` [PATCH v4 09/38] tests/docker: add test-fuzz Alex Bennée
2023-06-30 18:03 ` [PATCH v4 10/38] Makefile: add lcitool-refresh to UNCHECKED_GOALS Alex Bennée
2023-06-30 18:03 ` [PATCH v4 11/38] tests/lcitool: update to latest version Alex Bennée
2023-06-30 18:03 ` [PATCH v4 12/38] tests/lcitool: Bump fedora container versions Alex Bennée
2023-06-30 18:03 ` [PATCH v4 13/38] tests/lcitool: add an explicit gcc-native package Alex Bennée
2023-06-30 18:03 ` [PATCH v4 14/38] tests/lcitool: introduce qemu-minimal Alex Bennée
2023-07-03 7:59 ` Richard Henderson
2023-06-30 18:04 ` [PATCH v4 15/38] tests/docker: convert riscv64-cross to lcitool Alex Bennée
2023-07-03 7:59 ` Richard Henderson
2023-06-30 18:04 ` [PATCH v4 16/38] tests/avocado: update firmware to enable sbsa-ref/max Alex Bennée
2023-06-30 18:04 ` [PATCH v4 17/38] tests/avocado: Make the test_arm_bpim2u_gmac test more reliable Alex Bennée
2023-06-30 18:04 ` [PATCH v4 18/38] target/arm: make arm_casq_ptw CONFIG_TCG only Alex Bennée
2023-06-30 18:04 ` [PATCH v4 19/38] plugins: force slow path when plugins instrument memory ops Alex Bennée
2023-06-30 18:04 ` [PATCH v4 20/38] plugins: fix memory leak while parsing options Alex Bennée
2023-06-30 18:04 ` [PATCH v4 21/38] plugins: update lockstep to use g_memdup2 Alex Bennée
2023-06-30 18:04 ` [PATCH v4 22/38] docs/devel: add some front matter to the devel index Alex Bennée
2023-06-30 18:04 ` [PATCH v4 23/38] include/migration: mark vmstate_register() as a legacy function Alex Bennée
2023-06-30 18:04 ` [PATCH v4 24/38] include/hw/qdev-core: fixup kerneldoc annotations Alex Bennée
2023-06-30 18:04 ` [PATCH v4 25/38] docs/devel/qom.rst: Correct code style Alex Bennée
2023-06-30 18:04 ` [PATCH v4 26/38] docs/devel: split qom-api reference into new file Alex Bennée
2023-06-30 18:04 ` [PATCH v4 27/38] docs/devel: introduce some key concepts for QOM development Alex Bennée
2023-06-30 18:04 ` [PATCH v4 28/38] gdbstub: lightly refactor connection to avoid snprintf Alex Bennée
2023-07-03 7:57 ` Richard Henderson
2023-06-30 18:04 ` [PATCH v4 29/38] gdbstub: Permit reverse step/break to provide stop response Alex Bennée
2023-06-30 18:04 ` [PATCH v4 30/38] gdbstub: clean-up vcont handling to avoid goto Alex Bennée
2023-06-30 18:04 ` [PATCH v4 31/38] linux-user: Expose do_guest_openat() and do_guest_readlink() Alex Bennée
2023-06-30 18:04 ` [PATCH v4 32/38] linux-user: Add "safe" parameter to do_guest_openat() Alex Bennée
2023-06-30 18:04 ` [PATCH v4 33/38] linux-user: Emulate /proc/self/smaps Alex Bennée
2023-06-30 18:04 ` [PATCH v4 34/38] gdbstub: Expose gdb_get_process() and gdb_get_first_cpu_in_process() Alex Bennée
2023-06-30 18:04 ` [PATCH v4 35/38] gdbstub: Report the actual qemu-user pid Alex Bennée
2023-06-30 18:04 ` [PATCH v4 36/38] gdbstub: Add support for info proc mappings Alex Bennée
2023-06-30 18:04 ` Alex Bennée [this message]
2023-06-30 18:04 ` [PATCH v4 38/38] tests/tcg: Add a test " Alex Bennée
2023-08-08 22:45 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230630180423.558337-38-alex.bennee@linaro.org \
--to=alex.bennee@linaro.org \
--cc=Qiuhao.Li@outlook.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=bleal@redhat.com \
--cc=bmeng.cn@gmail.com \
--cc=bsd@redhat.com \
--cc=crosa@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=eduardo@habkost.net \
--cc=erdnaxe@crans.org \
--cc=iii@linux.ibm.com \
--cc=laurent@vivier.eu \
--cc=leobras@redhat.com \
--cc=lvivier@redhat.com \
--cc=ma.mandourr@gmail.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=marcin.juszkiewicz@linaro.org \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=quic_llindhol@quicinc.com \
--cc=quintela@redhat.com \
--cc=rad@semihalf.com \
--cc=richard.henderson@linaro.org \
--cc=riku.voipio@iki.fi \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
--cc=wainersm@redhat.com \
--cc=wangyanan55@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).