e2b72cb6e0
The VNC server must throttle data sent to the client to prevent the 'output'
buffer size growing without bound, if the client stops reading data off the
socket (either maliciously or due to stalled/slow network connection).
The current throttling is very crude because it simply checks whether the
output buffer offset is zero. This check must be disabled if audio capture is
enabled, because when streaming audio the output buffer offset will rarely be
zero due to queued audio data, and so this would starve framebuffer updates.
As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
They can first start something in the guest that triggers lots of framebuffer
updates eg play a youtube video. Then enable audio capture, and simply never
read data back from the server. This can easily make QEMU's VNC server send
buffer consume 100MB of RAM per second, until the OOM killer starts reaping
processes (hopefully the rogue QEMU process, but it might pick others...).
To address this we make the throttling more intelligent, so we can throttle
when audio capture is active too. To determine how to throttle incremental
updates or audio data, we calculate a size threshold. Normally the threshold is
the approximate number of bytes associated with a single complete framebuffer
update. ie width * height * bytes per pixel. We'll send incremental updates
until we hit this threshold, at which point we'll stop sending updates until
data has been written to the wire, causing the output buffer offset to fall
back below the threshold.
If audio capture is enabled, we increase the size of the threshold to also
allow for upto 1 seconds worth of audio data samples. ie nchannels * bytes
per sample * frequency. This allows the output buffer to have a mixture of
incremental framebuffer updates and audio data queued, but once the threshold
is exceeded, audio data will be dropped and incremental updates will be
throttled.
This unbounded memory growth affects all VNC server configurations supported by
QEMU, with no workaround possible. The mitigating factor is that it can only be
triggered by a client that has authenticated with the VNC server, and who is
able to trigger a large quantity of framebuffer updates or audio samples from
the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
their own QEMU process, but its possible other processes can get taken out as
collateral damage.
This is a more general variant of the similar unbounded memory usage flaw in
the websockets server, that was previously assigned CVE-2017-15268, and fixed
in 2.11 by:
commit
|
||
---|---|---|
accel | ||
audio | ||
backends | ||
block | ||
bsd-user | ||
capstone@22ead3e0bf | ||
chardev | ||
contrib | ||
crypto | ||
default-configs | ||
disas | ||
docs | ||
dtc@e54388015a | ||
fpu | ||
fsdev | ||
gdb-xml | ||
hw | ||
include | ||
io | ||
libdecnumber | ||
linux-headers | ||
linux-user | ||
migration | ||
nbd | ||
net | ||
pc-bios | ||
po | ||
qapi | ||
qga | ||
qobject | ||
qom | ||
replay | ||
roms | ||
scripts | ||
scsi | ||
slirp | ||
stubs | ||
target | ||
tcg | ||
tests | ||
trace | ||
ui | ||
util | ||
.dir-locals.el | ||
.editorconfig | ||
.exrc | ||
.gdbinit | ||
.gitignore | ||
.gitmodules | ||
.mailmap | ||
.shippable.yml | ||
.travis.yml | ||
arch_init.c | ||
balloon.c | ||
block.c | ||
blockdev-nbd.c | ||
blockdev.c | ||
blockjob.c | ||
bootdevice.c | ||
bt-host.c | ||
bt-vhci.c | ||
Changelog | ||
CODING_STYLE | ||
configure | ||
COPYING | ||
COPYING.LIB | ||
COPYING.PYTHON | ||
cpus-common.c | ||
cpus.c | ||
device_tree.c | ||
device-hotplug.c | ||
disas.c | ||
dma-helpers.c | ||
dump.c | ||
exec.c | ||
gdbstub.c | ||
HACKING | ||
hmp-commands-info.hx | ||
hmp-commands.hx | ||
hmp.c | ||
hmp.h | ||
ioport.c | ||
iothread.c | ||
LICENSE | ||
MAINTAINERS | ||
Makefile | ||
Makefile.objs | ||
Makefile.target | ||
memory_ldst.inc.c | ||
memory_mapping.c | ||
memory.c | ||
module-common.c | ||
monitor.c | ||
numa.c | ||
os-posix.c | ||
os-win32.c | ||
qapi-schema.json | ||
qdev-monitor.c | ||
qdict-test-data.txt | ||
qemu-bridge-helper.c | ||
qemu-doc.texi | ||
qemu-ga.texi | ||
qemu-img-cmds.hx | ||
qemu-img.c | ||
qemu-img.texi | ||
qemu-io-cmds.c | ||
qemu-io.c | ||
qemu-keymap.c | ||
qemu-nbd.c | ||
qemu-nbd.texi | ||
qemu-option-trace.texi | ||
qemu-options-wrapper.h | ||
qemu-options.h | ||
qemu-options.hx | ||
qemu-seccomp.c | ||
qemu-tech.texi | ||
qemu.nsi | ||
qemu.sasl | ||
qmp.c | ||
qtest.c | ||
README | ||
replication.c | ||
replication.h | ||
rules.mak | ||
thunk.c | ||
tpm.c | ||
trace-events | ||
VERSION | ||
version.rc | ||
vl.c |
QEMU README =========== QEMU is a generic and open source machine & userspace emulator and virtualizer. QEMU is capable of emulating a complete machine in software without any need for hardware virtualization support. By using dynamic translation, it achieves very good performance. QEMU can also integrate with the Xen and KVM hypervisors to provide emulated hardware while allowing the hypervisor to manage the CPU. With hypervisor support, QEMU can achieve near native performance for CPUs. When QEMU emulates CPUs directly it is capable of running operating systems made for one machine (e.g. an ARMv7 board) on a different machine (e.g. an x86_64 PC board). QEMU is also capable of providing userspace API virtualization for Linux and BSD kernel interfaces. This allows binaries compiled against one architecture ABI (e.g. the Linux PPC64 ABI) to be run on a host using a different architecture ABI (e.g. the Linux x86_64 ABI). This does not involve any hardware emulation, simply CPU and syscall emulation. QEMU aims to fit into a variety of use cases. It can be invoked directly by users wishing to have full control over its behaviour and settings. It also aims to facilitate integration into higher level management layers, by providing a stable command line interface and monitor API. It is commonly invoked indirectly via the libvirt library when using open source applications such as oVirt, OpenStack and virt-manager. QEMU as a whole is released under the GNU General Public License, version 2. For full licensing details, consult the LICENSE file. Building ======== QEMU is multi-platform software intended to be buildable on all modern Linux platforms, OS-X, Win32 (via the Mingw64 toolchain) and a variety of other UNIX targets. The simple steps to build QEMU are: mkdir build cd build ../configure make Additional information can also be found online via the QEMU website: https://qemu.org/Hosts/Linux https://qemu.org/Hosts/Mac https://qemu.org/Hosts/W32 Submitting patches ================== The QEMU source code is maintained under the GIT version control system. git clone git://git.qemu.org/qemu.git When submitting patches, the preferred approach is to use 'git format-patch' and/or 'git send-email' to format & send the mail to the qemu-devel@nongnu.org mailing list. All patches submitted must contain a 'Signed-off-by' line from the author. Patches should follow the guidelines set out in the HACKING and CODING_STYLE files. Additional information on submitting patches can be found online via the QEMU website https://qemu.org/Contribute/SubmitAPatch https://qemu.org/Contribute/TrivialPatches Bug reporting ============= The QEMU project uses Launchpad as its primary upstream bug tracker. Bugs found when running code built from QEMU git or upstream released sources should be reported via: https://bugs.launchpad.net/qemu/ If using QEMU via an operating system vendor pre-built binary package, it is preferable to report bugs to the vendor's own bug tracker first. If the bug is also known to affect latest upstream code, it can also be reported via launchpad. For additional information on bug reporting consult: https://qemu.org/Contribute/ReportABug Contact ======= The QEMU community can be contacted in a number of ways, with the two main methods being email and IRC - qemu-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/qemu-devel - #qemu on irc.oftc.net Information on additional methods of contacting the community can be found online via the QEMU website: https://qemu.org/Contribute/StartHere -- End