On Wed, Mar 16, 2022 at 04:39:36PM +0100, Michal Privoznik wrote:
When probing QEMU capabilities, we look at whatever
<emulator/>
was specified in the domain XML and execute it with couple of
arguments (-daemonize being one of them) Then, we use
virCommandSetErrorBuffer() to read stderr of the child process
hoping to read possible error message just before the process
daemonized itself. Well, this works as long as the emulator
binary behaves.
If the binary is evil and basically does the following:
#!/bin/bash
sleep 1h
then virCommandRun() called from qemuProcessQMPLaunch() doesn't
return for whole hour (because it's stuck in reading stderr of
the child process). This behavior of ours is very suboptimal.
The solution is to not rely on the binary behaving correctly on
-daemonize argument but to daemonize the process ourselves (via
virCommandDaemonize()) and then wait for the monitor to show up
with a timeout. This in turn means, that we can no longer use
virCommandSetErrorBuffer() but we can do the equivalent with
virCommandSetErrorFD() and a bit of code.
Sure, this doesn't shield us from malicious binaries 100% but
helps preventing depletion of worker threads.
I don't think malicious binaries is a threat we need to
even contemplate. Any scenario that triggers this involves
privileged access to libvirt.
I absolutely don't want us to inject a timeout into the
startup process, as they are inherantly fragile. We worked
hard to eliminate them in normal QEMU startup, and don't
think we want them in capabilities probing either.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|