c8a76dbd90
Allowing an unlimited number of clients to any web service is a recipe for a rudimentary denial of service attack: the client merely needs to open lots of sockets without closing them, until qemu no longer has any more fds available to allocate. For qemu-nbd, we default to allowing only 1 connection unless more are explicitly asked for (-e or --shared); this was historically picked as a nice default (without an explicit -t, a non-persistent qemu-nbd goes away after a client disconnects, without needing any additional follow-up commands), and we are not going to change that interface now (besides, someday we want to point people towards qemu-storage-daemon instead of qemu-nbd). But for qemu proper, and the newer qemu-storage-daemon, the QMP nbd-server-start command has historically had a default of unlimited number of connections, in part because unlike qemu-nbd it is inherently persistent until nbd-server-stop. Allowing multiple client sockets is particularly useful for clients that can take advantage of MULTI_CONN (creating parallel sockets to increase throughput), although known clients that do so (such as libnbd's nbdcopy) typically use only 8 or 16 connections (the benefits of scaling diminish once more sockets are competing for kernel attention). Picking a number large enough for typical use cases, but not unlimited, makes it slightly harder for a malicious client to perform a denial of service merely by opening lots of connections withot progressing through the handshake. This change does not eliminate CVE-2024-7409 on its own, but reduces the chance for fd exhaustion or unlimited memory usage as an attack surface. On the other hand, by itself, it makes it more obvious that with a finite limit, we have the problem of an unauthenticated client holding 100 fds opened as a way to block out a legitimate client from being able to connect; thus, later patches will further add timeouts to reject clients that are not making progress. This is an INTENTIONAL change in behavior, and will break any client of nbd-server-start that was not passing an explicit max-connections parameter, yet expects more than 100 simultaneous connections. We are not aware of any such client (as stated above, most clients aware of MULTI_CONN get by just fine on 8 or 16 connections, and probably cope with later connections failing by relying on the earlier connections; libvirt has not yet been passing max-connections, but generally creates NBD servers with the intent for a single client for the sake of live storage migration; meanwhile, the KubeSAN project anticipates a large cluster sharing multiple clients [up to 8 per node, and up to 100 nodes in a cluster], but it currently uses qemu-nbd with an explicit --shared=0 rather than qemu-storage-daemon with nbd-server-start). We considered using a deprecation period (declare that omitting max-parameters is deprecated, and make it mandatory in 3 releases - then we don't need to pick an arbitrary default); that has zero risk of breaking any apps that accidentally depended on more than 100 connections, and where such breakage might not be noticed under unit testing but only under the larger loads of production usage. But it does not close the denial-of-service hole until far into the future, and requires all apps to change to add the parameter even if 100 was good enough. It also has a drawback that any app (like libvirt) that is accidentally relying on an unlimited default should seriously consider their own CVE now, at which point they are going to change to pass explicit max-connections sooner than waiting for 3 qemu releases. Finally, if our changed default breaks an app, that app can always pass in an explicit max-parameters with a larger value. It is also intentional that the HMP interface to nbd-server-start is not changed to expose max-connections (any client needing to fine-tune things should be using QMP). Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-ID: <20240807174943.771624-12-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> [ericb: Expand commit message to summarize Dan's argument for why we break corner-case back-compat behavior without a deprecation period] Signed-off-by: Eric Blake <eblake@redhat.com> |
||
|---|---|---|
| .github/workflows | ||
| .gitlab/issue_templates | ||
| .gitlab-ci.d | ||
| accel | ||
| audio | ||
| authz | ||
| backends | ||
| block | ||
| bsd-user | ||
| chardev | ||
| common-user | ||
| configs | ||
| contrib | ||
| crypto | ||
| disas | ||
| docs | ||
| dump | ||
| ebpf | ||
| fpu | ||
| fsdev | ||
| gdb-xml | ||
| gdbstub | ||
| host/include | ||
| hw | ||
| include | ||
| io | ||
| libdecnumber | ||
| linux-headers | ||
| linux-user | ||
| migration | ||
| monitor | ||
| nbd | ||
| net | ||
| pc-bios | ||
| plugins | ||
| po | ||
| python | ||
| qapi | ||
| qga | ||
| qobject | ||
| qom | ||
| replay | ||
| roms | ||
| scripts | ||
| scsi | ||
| semihosting | ||
| stats | ||
| storage-daemon | ||
| stubs | ||
| subprojects | ||
| system | ||
| target | ||
| tcg | ||
| tests | ||
| tools | ||
| trace | ||
| ui | ||
| util | ||
| .dir-locals.el | ||
| .editorconfig | ||
| .exrc | ||
| .gdbinit | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .gitmodules | ||
| .gitpublish | ||
| .mailmap | ||
| .patchew.yml | ||
| .readthedocs.yml | ||
| .travis.yml | ||
| block.c | ||
| blockdev-nbd.c | ||
| blockdev.c | ||
| blockjob.c | ||
| configure | ||
| COPYING | ||
| COPYING.LIB | ||
| cpu-common.c | ||
| cpu-target.c | ||
| event-loop-base.c | ||
| gitdm.config | ||
| hmp-commands-info.hx | ||
| hmp-commands.hx | ||
| iothread.c | ||
| job-qmp.c | ||
| job.c | ||
| Kconfig | ||
| Kconfig.host | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| meson_options.txt | ||
| meson.build | ||
| module-common.c | ||
| os-posix.c | ||
| os-win32.c | ||
| page-target.c | ||
| page-vary-common.c | ||
| page-vary-target.c | ||
| pythondeps.toml | ||
| qemu-bridge-helper.c | ||
| qemu-edid.c | ||
| qemu-img-cmds.hx | ||
| qemu-img.c | ||
| qemu-io-cmds.c | ||
| qemu-io.c | ||
| qemu-keymap.c | ||
| qemu-nbd.c | ||
| qemu-options.hx | ||
| qemu.nsi | ||
| qemu.sasl | ||
| README.rst | ||
| replication.c | ||
| trace-events | ||
| VERSION | ||
| version.rc | ||
=========== QEMU README =========== QEMU is a generic and open source machine & userspace emulator and virtualizer. QEMU is capable of emulating a complete machine in software without any need for hardware virtualization support. By using dynamic translation, it achieves very good performance. QEMU can also integrate with the Xen and KVM hypervisors to provide emulated hardware while allowing the hypervisor to manage the CPU. With hypervisor support, QEMU can achieve near native performance for CPUs. When QEMU emulates CPUs directly it is capable of running operating systems made for one machine (e.g. an ARMv7 board) on a different machine (e.g. an x86_64 PC board). QEMU is also capable of providing userspace API virtualization for Linux and BSD kernel interfaces. This allows binaries compiled against one architecture ABI (e.g. the Linux PPC64 ABI) to be run on a host using a different architecture ABI (e.g. the Linux x86_64 ABI). This does not involve any hardware emulation, simply CPU and syscall emulation. QEMU aims to fit into a variety of use cases. It can be invoked directly by users wishing to have full control over its behaviour and settings. It also aims to facilitate integration into higher level management layers, by providing a stable command line interface and monitor API. It is commonly invoked indirectly via the libvirt library when using open source applications such as oVirt, OpenStack and virt-manager. QEMU as a whole is released under the GNU General Public License, version 2. For full licensing details, consult the LICENSE file. Documentation ============= Documentation can be found hosted online at `<https://www.qemu.org/documentation/>`_. The documentation for the current development version that is available at `<https://www.qemu.org/docs/master/>`_ is generated from the ``docs/`` folder in the source tree, and is built by `Sphinx <https://www.sphinx-doc.org/en/master/>`_. Building ======== QEMU is multi-platform software intended to be buildable on all modern Linux platforms, OS-X, Win32 (via the Mingw64 toolchain) and a variety of other UNIX targets. The simple steps to build QEMU are: .. code-block:: shell mkdir build cd build ../configure make Additional information can also be found online via the QEMU website: * `<https://wiki.qemu.org/Hosts/Linux>`_ * `<https://wiki.qemu.org/Hosts/Mac>`_ * `<https://wiki.qemu.org/Hosts/W32>`_ Submitting patches ================== The QEMU source code is maintained under the GIT version control system. .. code-block:: shell git clone https://gitlab.com/qemu-project/qemu.git When submitting patches, one common approach is to use 'git format-patch' and/or 'git send-email' to format & send the mail to the qemu-devel@nongnu.org mailing list. All patches submitted must contain a 'Signed-off-by' line from the author. Patches should follow the guidelines set out in the `style section <https://www.qemu.org/docs/master/devel/style.html>`_ of the Developers Guide. Additional information on submitting patches can be found online via the QEMU website: * `<https://wiki.qemu.org/Contribute/SubmitAPatch>`_ * `<https://wiki.qemu.org/Contribute/TrivialPatches>`_ The QEMU website is also maintained under source control. .. code-block:: shell git clone https://gitlab.com/qemu-project/qemu-web.git * `<https://www.qemu.org/2017/02/04/the-new-qemu-website-is-up/>`_ A 'git-publish' utility was created to make above process less cumbersome, and is highly recommended for making regular contributions, or even just for sending consecutive patch series revisions. It also requires a working 'git send-email' setup, and by default doesn't automate everything, so you may want to go through the above steps manually for once. For installation instructions, please go to: * `<https://github.com/stefanha/git-publish>`_ The workflow with 'git-publish' is: .. code-block:: shell $ git checkout master -b my-feature $ # work on new commits, add your 'Signed-off-by' lines to each $ git publish Your patch series will be sent and tagged as my-feature-v1 if you need to refer back to it in the future. Sending v2: .. code-block:: shell $ git checkout my-feature # same topic branch $ # making changes to the commits (using 'git rebase', for example) $ git publish Your patch series will be sent with 'v2' tag in the subject and the git tip will be tagged as my-feature-v2. Bug reporting ============= The QEMU project uses GitLab issues to track bugs. Bugs found when running code built from QEMU git or upstream released sources should be reported via: * `<https://gitlab.com/qemu-project/qemu/-/issues>`_ If using QEMU via an operating system vendor pre-built binary package, it is preferable to report bugs to the vendor's own bug tracker first. If the bug is also known to affect latest upstream code, it can also be reported via GitLab. For additional information on bug reporting consult: * `<https://wiki.qemu.org/Contribute/ReportABug>`_ ChangeLog ========= For version history and release notes, please visit `<https://wiki.qemu.org/ChangeLog/>`_ or look at the git history for more detailed information. Contact ======= The QEMU community can be contacted in a number of ways, with the two main methods being email and IRC: * `<mailto:qemu-devel@nongnu.org>`_ * `<https://lists.nongnu.org/mailman/listinfo/qemu-devel>`_ * #qemu on irc.oftc.net Information on additional methods of contacting the community can be found online via the QEMU website: * `<https://wiki.qemu.org/Contribute/StartHere>`_