From: Anthony Liguori <anthony@codemonkey.ws>
To: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
Eric Blake <eblake@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it?
Date: Tue, 18 Sep 2012 19:56:20 -0500 [thread overview]
Message-ID: <877grqrft7.fsf@codemonkey.ws> (raw)
In-Reply-To: <20120918211845.5f4344b9@doriath.home>
Luiz Capitulino <lcapitulino@redhat.com> writes:
> On Tue, 18 Sep 2012 16:13:30 -0500
> Anthony Liguori <anthony@codemonkey.ws> wrote:
>
>> Markus Armbruster <armbru@redhat.com> writes:
>>
>> > Jan Kiszka <jan.kiszka@siemens.com> writes:
>> >
>> >>>>>> * The issues discussed in this email plus the fact that the guest
>> >>>>>> memory may be corrupted, and the guest may be in real-mode even
>> >>>>>> when paging is enabled
>> >>>>>>
>> >>>>>
>> >>>>> Yes, there are some limitations with this option. Jan said that he
>> >>>>> always use gdb to deal with vmcore, so he needs such information.
>> >>>>
>> >>>> The point is to overcome the focus on Linux-only dump processing tools.
>> >>>
>> >>> While I don't care for supporting alternate dump processing tools
>> >>> myself, I certainly don't mind supporting them, as long as the code
>> >>> satisfies basic safety and reliability requirements.
>> >>>
>> >>> This code doesn't, as far as I can tell.
>> >>
>> >> It works, thought not under all circumstances.
>> >
>> > I don't doubt it works often enough to be useful to somebody. But basic
>> > safety and reliability requirements are a bit more than that. They
>> > include "don't explode in ways a reasonable user can't be expected to
>> > foresee". I don't think a reasonable user can be expected to see that
>> > -p is safe only for trusted guests.
>>
>> We shipped the API, we're not removing it. Our compatibility isn't
>> "whatever libvirt is currently using".
>>
>> It's perfectly reasonable to ask to document the behavior of the
>> method. It's also a trivial patch to qapi-schema.json.
>
> I feel that documenting it is not enough. It would be fine to do that
> if the worst case was a bad dump file, but the worst case as the
> code stands right now will affect the host.
Normally I would agree with you if it was a guest initiated action, but
it's a user initiated command.
Putting a big fat warning in qapi-schema.json is sufficient in my mind.
>> It's unreasonable to ask for an interface to be removed just because it
>> could be misused when it has a legimitate use-case.
>
> The point is not that it can be misused. The issue we're concerned about
> is that a malicious guest could cause qemu to allocate dozens of
> gigabytes of RAM.
By a user initiated action. A user can assign a USB/PCI device that's being
used by the kernel. They could hotplug a disk that points to /dev/hda
and overwrite their active root filesystem too.
We should educate users and avoid making it too easy to shoot themselves
in the foot. But this is an option to an obscure QMP command. I highly
doubt that there will ever be a case where a root kit in the wild is
prepared to completely hose the guest in the hopes that a user is going
to blindly issue this command with the '-p' option.
> Jan suggested a fix that could make it less worse, which is to avoid
> allocating any memory while walking the guest page tables. However,
> it's not clear if this is hard to do and, more importantly, if it's
> backportable to -stable.
I just don't see the problem here as long as the behavior is
documented.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2012-09-19 0:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-17 17:56 [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it? Luiz Capitulino
2012-09-17 18:08 ` Eric Blake
2012-09-18 1:52 ` Wen Congyang
2012-09-18 9:22 ` Jan Kiszka
2012-09-18 12:23 ` Markus Armbruster
2012-09-18 12:41 ` Jan Kiszka
2012-09-18 13:33 ` Luiz Capitulino
2012-09-18 16:51 ` Jan Kiszka
2012-09-18 13:36 ` Markus Armbruster
2012-09-18 21:13 ` Anthony Liguori
2012-09-19 0:18 ` Luiz Capitulino
2012-09-19 0:56 ` Anthony Liguori [this message]
2012-09-19 2:07 ` Wen Congyang
2012-09-19 2:26 ` HATAYAMA Daisuke
2012-09-19 13:23 ` Luiz Capitulino
2012-09-20 1:06 ` HATAYAMA Daisuke
2012-09-19 7:25 ` Markus Armbruster
2012-09-19 12:10 ` Anthony Liguori
2012-09-19 13:13 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877grqrft7.fsf@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=lcapitulino@redhat.com \
--cc=mtosatti@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).