From: Laurent Vivier <lvivier@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>,
"Jason Wang" <jasowang@redhat.com>
Cc: Stefan Weil <sw@weilnetz.de>, Paolo Bonzini <pbonzini@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>
Subject: Re: [PATCH] net: tap: check if the file descriptor is valid before using it
Date: Tue, 30 Jun 2020 11:45:31 +0200 [thread overview]
Message-ID: <247f4aa8-1846-c5ec-4fe3-1d344979ad52@redhat.com> (raw)
In-Reply-To: <20200630093148.GF1370404@redhat.com>
On 30/06/2020 11:31, Daniel P. Berrangé wrote:
> On Tue, Jun 30, 2020 at 10:23:18AM +0100, Daniel P. Berrangé wrote:
>> On Tue, Jun 30, 2020 at 05:21:49PM +0800, Jason Wang wrote:
>>>
>>> On 2020/6/30 上午3:30, Laurent Vivier wrote:
>>>> On 28/06/2020 08:31, Jason Wang wrote:
>>>>> On 2020/6/25 下午7:56, Laurent Vivier wrote:
>>>>>> On 25/06/2020 10:48, Daniel P. Berrangé wrote:
>>>>>>> On Wed, Jun 24, 2020 at 09:00:09PM +0200, Laurent Vivier wrote:
>>>>>>>> qemu_set_nonblock() checks that the file descriptor can be used and, if
>>>>>>>> not, crashes QEMU. An assert() is used for that. The use of assert() is
>>>>>>>> used to detect programming error and the coredump will allow to debug
>>>>>>>> the problem.
>>>>>>>>
>>>>>>>> But in the case of the tap device, this assert() can be triggered by
>>>>>>>> a misconfiguration by the user. At startup, it's not a real problem,
>>>>>>>> but it
>>>>>>>> can also happen during the hot-plug of a new device, and here it's a
>>>>>>>> problem because we can crash a perfectly healthy system.
>>>>>>> If the user/mgmt app is not correctly passing FDs, then there's a whole
>>>>>>> pile of bad stuff that can happen. Checking whether the FD is valid is
>>>>>>> only going to catch a small subset. eg consider if fd=9 refers to the
>>>>>>> FD that is associated with the root disk QEMU has open. We'll fail to
>>>>>>> setup the TAP device and close this FD, breaking the healthy system
>>>>>>> again.
>>>>>>>
>>>>>>> I'm not saying we can't check if the FD is valid, but lets be clear that
>>>>>>> this is not offering very much protection against a broken mgmt apps
>>>>>>> passing bad FDs.
>>>>>>>
>>>>>> I agree with you, but my only goal here is to avoid the crash in this
>>>>>> particular case.
>>>>>>
>>>>>> The punishment should fit the crime.
>>>>>>
>>>>>> The user can think the netdev_del doesn't close the fd, and he can try
>>>>>> to reuse it. Sending back an error is better than crashing his system.
>>>>>> After that, if the system crashes, it will be for the good reasons, not
>>>>>> because of an assert.
>>>>>
>>>>> Yes. And on top of this we may try to validate the TAP via st_dev
>>>>> through fstat[1].
>>>> I agree, but the problem I have is to know which major(st_dev) we can
>>>> allow to use.
>>>>
>>>> Do we allow only macvtap major number?
>>>
>>>
>>> Macvtap and tuntap.
>>>
>>>
>>>> How to know the macvtap major number at user level?
>>>> [it is allocated dynamically: do we need to parse /proc/devices?]
>>>
>>>
>>> I think we can get them through fstat for /dev/net/tun and /dev/macvtapX.
>>
>> Don't assume QEMU has any permission to access to these device nodes,
>> only the pre-opened FDs it is given by libvirt.
>
> Actually permissions are the least of the problem - the device nodes
> won't even exist, because QEMU's almost certainly running in a private
> mount namespace with a minimal /dev populated
>
I'm working on a solution using /proc/devices.
macvtap has its own major number, but tuntap use "misc" (10) major number.
Thanks,
Laurent
next prev parent reply other threads:[~2020-06-30 9:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-24 19:00 [PATCH] net: tap: check if the file descriptor is valid before using it Laurent Vivier
2020-06-25 6:19 ` Philippe Mathieu-Daudé
2020-06-25 7:38 ` Laurent Vivier
2020-06-25 7:40 ` Philippe Mathieu-Daudé
2020-06-25 8:48 ` Daniel P. Berrangé
2020-06-25 11:56 ` Laurent Vivier
2020-06-28 6:31 ` Jason Wang
2020-06-29 19:30 ` Laurent Vivier
2020-06-30 9:21 ` Jason Wang
2020-06-30 9:23 ` Daniel P. Berrangé
2020-06-30 9:31 ` Daniel P. Berrangé
2020-06-30 9:45 ` Laurent Vivier [this message]
2020-06-30 10:03 ` Jason Wang
2020-06-30 10:35 ` Laurent Vivier
2020-06-30 10:57 ` Jason Wang
2020-06-30 11:03 ` Daniel P. Berrangé
2020-06-30 12:00 ` Laurent Vivier
2020-06-30 12:35 ` Daniel P. Berrangé
2020-06-30 12:42 ` Laurent Vivier
2020-06-30 9:56 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=247f4aa8-1846-c5ec-4fe3-1d344979ad52@redhat.com \
--to=lvivier@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jasowang@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).