Re: [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it?

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
To: Markus Armbruster <armbru@redhat.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Eric Blake <eblake@redhat.com>,
	qemu-devel <qemu-devel@nongnu.org>,
	Luiz Capitulino <lcapitulino@redhat.com>
Subject: Re: [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it?
Date: Wed, 19 Sep 2012 07:10:21 -0500	[thread overview]
Message-ID: <87zk4mp61e.fsf@codemonkey.ws> (raw)
In-Reply-To: <87pq5imq2m.fsf@blackfin.pond.sub.org>

Markus Armbruster <armbru@redhat.com> writes:

> Anthony Liguori <anthony@codemonkey.ws> writes:
>
>> Markus Armbruster <armbru@redhat.com> writes:
>>
>>> Jan Kiszka <jan.kiszka@siemens.com> writes:
>>>
>>>>>>>>  * The issues discussed in this email plus the fact that the guest
>>>>>>>>    memory may be corrupted, and the guest may be in real-mode even
>>>>>>>>    when paging is enabled
>>>>>>>>
>>>>>>>
>>>>>>> Yes, there are some limitations with this option. Jan said that he
>>>>>>> always use gdb to deal with vmcore, so he needs such information.
>>>>>>
>>>>>> The point is to overcome the focus on Linux-only dump processing tools.
>>>>> 
>>>>> While I don't care for supporting alternate dump processing tools
>>>>> myself, I certainly don't mind supporting them, as long as the code
>>>>> satisfies basic safety and reliability requirements.
>>>>> 
>>>>> This code doesn't, as far as I can tell.
>>>>
>>>> It works, thought not under all circumstances.
>>>
>>> I don't doubt it works often enough to be useful to somebody.  But basic
>>> safety and reliability requirements are a bit more than that.  They
>>> include "don't explode in ways a reasonable user can't be expected to
>>> foresee".  I don't think a reasonable user can be expected to see that
>>> -p is safe only for trusted guests.
>>
>> We shipped the API, we're not removing it.  Our compatibility isn't
>> "whatever libvirt is currently using".
>
> Bah, don't be more catholic than the pope.  It's been out for how many
> days?  Have you looked at the code?
>
>> It's perfectly reasonable to ask to document the behavior of the
>> method.  It's also a trivial patch to qapi-schema.json.
>
> I'm okay with leaving obscure security holes in upstream QEMU,
> indefinitely, as long as they're documented.  I don't think it's a good
> idea, but it's something reasonable people can disagree about.

It's *not* a security hole.

The "malicious guest" you mention is just a guest with fully populated
PTEs and PDEs, no?

There's nothing malicious about that.

It just so happens that the memory usage of this command is proportional
to the amount of page mappings in the guest.

I think your making a mountain out of a mole hill here.

Regards,

Anthony Liguori

>
> We need to document that -p is unreliable and unsafe, therefore should
> only be used with trusted guests, and its result need not be correct
> even then.
>
>> It's unreasonable to ask for an interface to be removed just because it
>> could be misused when it has a legimitate use-case.
>
> The issue isn't "misuse" (operator does something stupid), it's abuse
> (guest can make it blow up when operator uses it as intended), and
> fragility (produces crap when operator uses it as intended, but the
> guest isn't in a sufficiently "nice" state).

next prev parent reply	other threads:[~2012-09-19 12:10 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-17 17:56 [Qemu-devel] qmp: dump-guest-memory: -p option has issues, fix it or drop it? Luiz Capitulino
2012-09-17 18:08 ` Eric Blake
2012-09-18  1:52 ` Wen Congyang
2012-09-18  9:22   ` Jan Kiszka
2012-09-18 12:23     ` Markus Armbruster
2012-09-18 12:41       ` Jan Kiszka
2012-09-18 13:33         ` Luiz Capitulino
2012-09-18 16:51           ` Jan Kiszka
2012-09-18 13:36         ` Markus Armbruster
2012-09-18 21:13           ` Anthony Liguori
2012-09-19  0:18             ` Luiz Capitulino
2012-09-19  0:56               ` Anthony Liguori
2012-09-19  2:07               ` Wen Congyang
2012-09-19  2:26                 ` HATAYAMA Daisuke
2012-09-19 13:23                   ` Luiz Capitulino
2012-09-20  1:06                     ` HATAYAMA Daisuke
2012-09-19  7:25             ` Markus Armbruster
2012-09-19 12:10               ` Anthony Liguori [this message]
2012-09-19 13:13                 ` Markus Armbruster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zk4mp61e.fsf@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=armbru@redhat.com \
    --cc=eblake@redhat.com \
    --cc=jan.kiszka@siemens.com \
    --cc=lcapitulino@redhat.com \
    --cc=mtosatti@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).