From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N5248-0000tu-CU
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 13:55:44 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N5244-0000qY-Ts
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 13:55:44 -0500
Received: from [199.232.76.173] (port=34762 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N5244-0000qO-NL
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 13:55:40 -0500
Received: from mail-qy0-f194.google.com ([209.85.221.194]:58150)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1N5244-0002mV-CM
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 13:55:40 -0500
Received: by qyk32 with SMTP id 32so1884075qyk.4
	for <qemu-devel@nongnu.org>; Mon, 02 Nov 2009 10:55:39 -0800 (PST)
Message-ID: <4AEF2B28.6000303@codemonkey.ws>
Date: Mon, 02 Nov 2009 12:55:36 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Re: [PATCH] whitelist host virtio networking features
	[was Re: qemu-kvm-0.11 regression, crashes on older ...]
References: <1256815818-sup-7805@xpc65.scottt> <1256818566.10825.58.camel@blaa>
	<4AE9A299.5060003@codemonkey.ws> <1256826351.10825.69.camel@blaa>
	<4AE9A90F.1060108@codemonkey.ws> <1256827719.10825.75.camel@blaa>
	<1256830455.25064.155.camel@x200>
	<d9c105ea0910301415n74efc9f2i3f8b2646217f44cb@mail.gmail.com>
	<1257172722.5075.7.camel@blaa> <4AEEFDCE.1000006@codemonkey.ws>
	<20091102155228.GB9655@shareable.org>
In-Reply-To: <20091102155228.GB9655@shareable.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jamie Lokier <jamie@shareable.org>
Cc: Mark McLoughlin <markmc@redhat.com>, Scott Tsai <scottt.tw@gmail.com>, kvm <kvm@vger.kernel.org>, Dustin Kirkland <kirkland@canonical.com>, Rusty Russell <rusty@rustcorp.com.au>, qemu-devel <qemu-devel@nongnu.org>, jdstrand@canonical.com, Marc Deslauriers <marc.deslauriers@canonical.com>, kees.cook@canonical.com

Jamie Lokier wrote:
> Anthony Liguori wrote:
>   
>> Mark McLoughlin wrote:
>>     
>>>> Canonical's Ubuntu Security Team will be filing a CVE on this issue,
>>>> since there is a bit of an attack vector here, and since
>>>> qemu-kvm-0.11.0 is generally available as an official release (and now
>>>> part of Ubuntu 9.10).
>>>>
>>>> Guests running linux <= 2.6.25 virtio-net (e.g Ubuntu 8.04 hardy) on
>>>> top of qemu-kvm-0.11.0 can be remotely crashed by a non-privileged
>>>> network user flooding an open port on the guest.  The crash happens in
>>>> a manner that abruptly terminates the guest's execution (ie, without
>>>> shutting down cleanly).  This may affect the guest filesystem's
>>>> general happiness.
>>>>    
>>>>         
>>> IMHO, the CVE should be against the 2.6.25 virtio drivers - the bug is
>>> in the guest and the issue we're discussing here is just a hacky
>>> workaround for the guest bug.
>>>  
>>>       
>> Yeah, I'm inclined to agree.  The guest generates bad data and we exit.  
>> exit()ing is probably not wonderful but it's a well understood behavior.
>>
>> The fundamental bug here is in the guest, not in qemu.
>>     
>
> Guests should never be able to crash or terminate qemu, unless they
> call something that is intentionally an "exit qemu" hook for the
> guest.  And even that should be possible to disable.
>   

They can exit qemu via an ACPI shutdown.  I don't see the difference.

Regards,

Anthony Liguori