[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC 1/4] libxl: Learned to send FD through QMP to QEMU

To: George Dunlap <george.dunlap@xxxxxxxxxx>
From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
Date: Tue, 27 Mar 2018 12:49:52 +0100
Cc: Ian Jackson <ian.jackson@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 27 Mar 2018 11:49:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Mar 27, 2018 at 11:58:45AM +0100, George Dunlap wrote:
> On 03/27/2018 11:29 AM, Ian Jackson wrote:
> > This 2nd patch looks reasonable, but it prompted to notice two new
> > kinds of hazard introduced by the deprivileging design goal:
> > 
> >>  int libxl__qmp_save(libxl__gc *gc, int domid, const char *filename, bool 
> >> live)
> >>  {
> > ...
> >> +    rc = qmp_synchronous_send(qmp, "add-fd", NULL,
> >> +                              qmp_fdset_add_fd_callback, &new_fdset,
> >> +                              qmp->timeout);
> >> +    if (rc)
> >> +        goto out;
> > 
> > By this point, a depriv'd qemu must be assumed to be compromised by
> > its guest - ie we must treat it as hostile.
> > 
> > This is not consistent with use of qmp_synchronous_send, because
> > qmp_synchronous_send will block with both the domain and ctx locks
> > held.  That is, a malicious qemu can deny service; it even has the
> > ability to prevent its serviced domain from being destroyed.
> 
> Will qmp_synchronous_send() wait forever, or is there a timeout?

There is some kind of timeout, but I'm not sure it is true at all time.

This is a few functions that does handle connection/send/receive:
- qmp_open()
  this one as a 5s timeout on connecting to the socket.
- qmp_send()
  This use write/sendmsg with no timeout, but the fd is set to
  O_NONBLOCK.
- qmp_next()
  This function use select with a 5s timeout, so read should not block.
  But I think the timout is reset every time something have been read
  from the socket.

So I guess a malicious qemu could have the qmp_next() function wait
forever.

Also I think every time a "response" or an "event" is processed,
qmp_next() will return, and qmp_synchronous_send() will call qmp_next
again until it got the response it is waiting for.

So a few opportunity to wait forever.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [RFC 0/4] libxl: Enable save/restore/migration of a restricted QEMU
  - From: Anthony PERARD
- [Xen-devel] [RFC 1/4] libxl: Learned to send FD through QMP to QEMU
  - From: Anthony PERARD
- Re: [Xen-devel] [RFC 1/4] libxl: Learned to send FD through QMP to QEMU
  - From: Ian Jackson
- Re: [Xen-devel] [RFC 1/4] libxl: Learned to send FD through QMP to QEMU
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH] x86/vpci: validate data first in register_vpci_mmcfg_handler
Next by Date: Re: [Xen-devel] [PATCH v3 05/39] ARM: timer: Handle level triggered IRQs correctly
Previous by thread: Re: [Xen-devel] [RFC 1/4] libxl: Learned to send FD through QMP to QEMU
Next by thread: [Xen-devel] [linux-4.9 test] 121270: tolerable FAIL - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.