From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=40100 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PQwiG-0005mM-Ux
	for qemu-devel@nongnu.org; Fri, 10 Dec 2010 01:44:17 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Jes.Sorensen@redhat.com>) id 1PQwiF-0001Xt-Ot
	for qemu-devel@nongnu.org; Fri, 10 Dec 2010 01:44:16 -0500
Received: from mx1.redhat.com ([209.132.183.28]:45661)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Jes.Sorensen@redhat.com>) id 1PQwiF-0001Xf-Hj
	for qemu-devel@nongnu.org; Fri, 10 Dec 2010 01:44:15 -0500
Message-ID: <4D01CC2D.10706@redhat.com>
Date: Fri, 10 Dec 2010 07:43:57 +0100
From: Jes Sorensen <Jes.Sorensen@redhat.com>
MIME-Version: 1.0
References: <1291399402-20366-1-git-send-email-mdroth@linux.vnet.ibm.com>
	<1291399402-20366-9-git-send-email-mdroth@linux.vnet.ibm.com>
	<4CFE4406.4010209@redhat.com> <4D01465B.9040200@linux.vnet.ibm.com>
In-Reply-To: <4D01465B.9040200@linux.vnet.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] Re: [RFC][PATCH v5 08/21] virtagent: add
	agent_viewfile qmp/hmp command
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: agl@linux.vnet.ibm.com, stefanha@linux.vnet.ibm.com, abeekhof@redhat.com, qemu-devel@nongnu.org, aliguori@linux.vnet.ibm.com, ryanh@us.ibm.com

On 12/09/10 22:12, Michael Roth wrote:
> On 12/07/2010 08:26 AM, Jes Sorensen wrote:
>> I believe this suffers from the same architectural problem I mentioned
>> in my comment to 07/21 - you don't restrict the file size, so it could
>> blow up the QEMU process on the host trying to view the wrong file.
> 
> It's restricted on the guest side:
> 
> virtagent-server.c:va_getfile():
> 
>     while ((ret = read(fd, buf, VA_FILEBUF_LEN)) > 0) {
>         file_contents = qemu_realloc(file_contents, count +
> VA_FILEBUF_LEN);
>         memcpy(file_contents + count, buf, ret);
>         count += ret;
>         if (count > VA_GETFILE_MAX) {
>             xmlrpc_faultf(env, "max file size (%d bytes) exceeded",
>                           VA_GETFILE_MAX);
>             goto EXIT_CLOSE_BAD;
>         }
>     }

You cannot rely on the guest controlling this. You really have to treat
any guest as hostile and keep control and security in the host,
otherwise a hacked guest could end up attacking the host by blowing up
the host's QEMU process.

Cheers,
Jes