[Qemu-devel] [PATCH v2 0/7] Limit websockets memory usage & other bug fixes

Daniel P. Berrange posted 7 patches 6 years, 5 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20171011100959.29326-1-berrange@redhat.com
Test checkpatch passed
Test docker passed
Test s390x passed
include/io/channel-websock.h |   3 +-
io/channel-websock.c         | 163 ++++++++++++++++++++++++-------------------
io/trace-events              |   2 +
3 files changed, 93 insertions(+), 75 deletions(-)
[Qemu-devel] [PATCH v2 0/7] Limit websockets memory usage & other bug fixes
Posted by Daniel P. Berrange 6 years, 5 months ago
The core motivation for this patch series is to fix a security
issue publically reported, where websockets code can consume
arbitrary amounts of RAM with slow clients:

   https://bugs.launchpad.net/qemu/+bug/1718964

I've asked for a CVE but its not assigned yet. Since the bug
is public we might as well get on with code review while waiting
for the CVE number.

The first patch is the minimum required to fix the actual CVE
in git master, taking advantage of how we know the VNC server
will call us. The 5th patch lets us tighten up buffer limiting
of writes further, so we're not making assumptions about VNC
server code.

The websockets code is broken right back to the day it was
merged in QEMU 1.2.1

The fix in patch 1 can apply to stable branches from 2.6 -> 2.10
inclusive, provided another fix from master is cherry-picked
first

  commit eefa3d8ef649f9055611361e2201cca49f8c3433
  Author: Brandon Carpenter <brandon.carpenter@cypherpath.com>
  Date:   Tue Sep 12 08:21:48 2017 -0700

    io: Small updates in preparation for websocket changes

since that refactors code duplication in the GSource impl.
Once we merge for master, I'll send a patch to qemu-stable.

Versions prior to 2.6 would require a fix to be done in
the ui/vnc.c file vnc_update_client method instead. It
would need to check vs->ws_output buffer size. I'm not
intending to write any such patch - this is just info in
case anyone is stuck on such ancient versions and needs
to figure out a fix.

Changed in v2:

  - Correctly index the struct iovec array when encoding (Eric)
  - Change ping_remain to pong_remain (Eric)
  - Misc typos (Eric)

Daniel P. Berrange (7):
  io: monitor encoutput buffer size from websocket GSource
  io: simplify websocket ping reply handling
  io: get rid of qio_channel_websock_encode helper method
  io: pass a struct iovec into qio_channel_websock_encode
  io: get rid of bounce buffering in websock write path
  io: cope with websock 'Connection' header having multiple values
  io: add trace points for websocket HTTP protocol headers

 include/io/channel-websock.h |   3 +-
 io/channel-websock.c         | 163 ++++++++++++++++++++++++-------------------
 io/trace-events              |   2 +
 3 files changed, 93 insertions(+), 75 deletions(-)

-- 
2.13.5