Re: [PATCH] net: tap: check if the file descriptor is valid before using it

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Jason Wang <jasowang@redhat.com>
To: "Laurent Vivier" <lvivier@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, Stefan Weil <sw@weilnetz.de>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] net: tap: check if the file descriptor is valid before using it
Date: Tue, 30 Jun 2020 17:21:49 +0800	[thread overview]
Message-ID: <b912e24c-8dc5-7022-6ed2-cf10d72ef6e7@redhat.com> (raw)
In-Reply-To: <ea94fa3c-edb5-220e-e0e0-4b7fca7b90e8@redhat.com>


On 2020/6/30 上午3:30, Laurent Vivier wrote:
> On 28/06/2020 08:31, Jason Wang wrote:
>> On 2020/6/25 下午7:56, Laurent Vivier wrote:
>>> On 25/06/2020 10:48, Daniel P. Berrangé wrote:
>>>> On Wed, Jun 24, 2020 at 09:00:09PM +0200, Laurent Vivier wrote:
>>>>> qemu_set_nonblock() checks that the file descriptor can be used and, if
>>>>> not, crashes QEMU. An assert() is used for that. The use of assert() is
>>>>> used to detect programming error and the coredump will allow to debug
>>>>> the problem.
>>>>>
>>>>> But in the case of the tap device, this assert() can be triggered by
>>>>> a misconfiguration by the user. At startup, it's not a real problem,
>>>>> but it
>>>>> can also happen during the hot-plug of a new device, and here it's a
>>>>> problem because we can crash a perfectly healthy system.
>>>> If the user/mgmt app is not correctly passing FDs, then there's a whole
>>>> pile of bad stuff that can happen. Checking whether the FD is valid is
>>>> only going to catch a small subset. eg consider if fd=9 refers to the
>>>> FD that is associated with the root disk QEMU has open. We'll fail to
>>>> setup the TAP device and close this FD, breaking the healthy system
>>>> again.
>>>>
>>>> I'm not saying we can't check if the FD is valid, but lets be clear that
>>>> this is not offering very much protection against a broken mgmt apps
>>>> passing bad FDs.
>>>>
>>> I agree with you, but my only goal here is to avoid the crash in this
>>> particular case.
>>>
>>> The punishment should fit the crime.
>>>
>>> The user can think the netdev_del doesn't close the fd, and he can try
>>> to reuse it. Sending back an error is better than crashing his system.
>>> After that, if the system crashes, it will be for the good reasons, not
>>> because of an assert.
>>
>> Yes. And on top of this we may try to validate the TAP via st_dev
>> through fstat[1].
> I agree, but the problem I have is to know which major(st_dev) we can
> allow to use.
>
> Do we allow only macvtap major number?


Macvtap and tuntap.


> How to know the macvtap major number at user level?
> [it is allocated dynamically: do we need to parse /proc/devices?]


I think we can get them through fstat for /dev/net/tun and /dev/macvtapX.

Thanks


>
> Thanks,
> Laurent
>
>

next prev parent reply	other threads:[~2020-06-30  9:28 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-24 19:00 [PATCH] net: tap: check if the file descriptor is valid before using it Laurent Vivier
2020-06-25  6:19 ` Philippe Mathieu-Daudé
2020-06-25  7:38   ` Laurent Vivier
2020-06-25  7:40     ` Philippe Mathieu-Daudé
2020-06-25  8:48 ` Daniel P. Berrangé
2020-06-25 11:56   ` Laurent Vivier
2020-06-28  6:31     ` Jason Wang
2020-06-29 19:30       ` Laurent Vivier
2020-06-30  9:21         ` Jason Wang [this message]
2020-06-30  9:23           ` Daniel P. Berrangé
2020-06-30  9:31             ` Daniel P. Berrangé
2020-06-30  9:45               ` Laurent Vivier
2020-06-30 10:03                 ` Jason Wang
2020-06-30 10:35                   ` Laurent Vivier
2020-06-30 10:57                     ` Jason Wang
2020-06-30 11:03                     ` Daniel P. Berrangé
2020-06-30 12:00                       ` Laurent Vivier
2020-06-30 12:35                         ` Daniel P. Berrangé
2020-06-30 12:42                           ` Laurent Vivier
2020-06-30  9:56               ` Jason Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b912e24c-8dc5-7022-6ed2-cf10d72ef6e7@redhat.com \
    --to=jasowang@redhat.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=lvivier@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=sw@weilnetz.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).