[libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison

Tim Wiederhake posted 3 patches 3 years, 6 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20200916133356.510807-1-twiederh@redhat.com
src/conf/cpu_conf.c                          | 38 ++++++++++++++++++++
tests/cputest.c                              | 15 +++++---
tests/cputestdata/x86_64-bogus-attribute.xml |  2 ++
tests/cputestdata/x86_64-bogus-element.xml   |  3 ++
4 files changed, 54 insertions(+), 4 deletions(-)
create mode 100644 tests/cputestdata/x86_64-bogus-attribute.xml
create mode 100644 tests/cputestdata/x86_64-bogus-element.xml
[libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison
Posted by Tim Wiederhake 3 years, 6 months ago
We currently ignore unknown elements in the CPU XML description, e.g. with vi=
rsh
cpu-compare and hypervisor-cpu-compare. This makes '<cpu><faeture name=3D"...=
"/></cpu>'
(note the typo in "faeture") semantically identic to '<cpu/>'. No error is re=
ported.

This series adds checks for unrecognized attributes and elements in the "<cpu=
>" element,
catching this kind of mistake.

An alternative approach to this problem would be to create a new schema, whic=
h might
turn out awkward as cpu-compare and hypervisor-cpu-compare accept a wide rang=
e of
cpu descriptions, including full domain, capabilities, and domainCapabilities=
 XML.

Tim Wiederhake (3):
  tests: Allow cpuTestLoadXML to fail for the guest if we expect it the
    test to fail
  tests: Ensure that cpu comparison fails in the presence of unknown xml
    elements
  cpu: Fail CPU comparison in the presence of unknown elements.

 src/conf/cpu_conf.c                          | 38 ++++++++++++++++++++
 tests/cputest.c                              | 15 +++++---
 tests/cputestdata/x86_64-bogus-attribute.xml |  2 ++
 tests/cputestdata/x86_64-bogus-element.xml   |  3 ++
 4 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 tests/cputestdata/x86_64-bogus-attribute.xml
 create mode 100644 tests/cputestdata/x86_64-bogus-element.xml

--=20
2.26.2


Re: [libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison
Posted by Daniel P. Berrangé 3 years, 6 months ago
On Wed, Sep 16, 2020 at 03:33:53PM +0200, Tim Wiederhake wrote:
> We currently ignore unknown elements in the CPU XML description, e.g. with vi=
> rsh
> cpu-compare and hypervisor-cpu-compare. This makes '<cpu><faeture name=3D"...=
> "/></cpu>'
> (note the typo in "faeture") semantically identic to '<cpu/>'. No error is re=
> ported.

This is an intentional implementation choice in libvirt. The XML documents
that we're parsing are way to large and complex for us to justify adding
code to report errors for every invalid attribute or child element name.

We provide an RNG schema, however, which declares the valid set of attrs
and thus by running RNG schema validation, a client can get a error report
of invalid info.

We enable this validation by default in "virsh edit" and a few other
similar commands.

There are certainly libvirt APIs though which accept XML and don't have
a flag defined to enable RNG schema validation. I presume the CPU APIs
are one such case.  We should add support for validation to all such
APIs accepting XML documents, and wire it up in virsh.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison
Posted by Tim Wiederhake 3 years, 6 months ago
On Wed, 2020-09-16 at 14:48 +0100, Daniel P. Berrangé wrote:
> On Wed, Sep 16, 2020 at 03:33:53PM +0200, Tim Wiederhake wrote:
> > We currently ignore unknown elements in the CPU XML description,
> > e.g. with vi=
> > rsh
> > cpu-compare and hypervisor-cpu-compare. This makes '<cpu><faeture
> > name=3D"...=
> > "/></cpu>'
> > (note the typo in "faeture") semantically identic to '<cpu/>'. No
> > error is re=
> > ported.
> 
> This is an intentional implementation choice in libvirt. The XML
> documents
> that we're parsing are way to large and complex for us to justify
> adding
> code to report errors for every invalid attribute or child element
> name.
>
> We provide an RNG schema, however, which declares the valid set of
> attrs
> and thus by running RNG schema validation, a client can get a error
> report
> of invalid info.
> 
> We enable this validation by default in "virsh edit" and a few other
> similar commands.
> 
> There are certainly libvirt APIs though which accept XML and don't
> have
> a flag defined to enable RNG schema validation. I presume the CPU
> APIs
> are one such case.  We should add support for validation to all such
> APIs accepting XML documents, and wire it up in virsh.
> 
> Regards,
> Daniel

Hi Daniel, all,

thanks for the input!

My first attempt at the problem I described did in fact employ RNG
schema validation on the xml documents describing the CPU. The problem
though with that approach is that `virsh [hypervisor-]cpu-compare` can
consume quite different xml documents. The tests add more possible
document types, e.g. multicpu, which force the schema for a validation
performed in `virCPUDefParseXML` to basically import all other schemas
(which produced some naming conflicts that I was unable to solve) and,
secondly, perform a lot of unneccessary validation.

I created a schema that would perform only a check for "unknown"
elements and attributes in the cpu element and ignore everything else.
I attached this for your entertainment. There you can see what I meant
with "different xml documents".

Copying / moving the node into a new document just for validation seems
not like an elegant solution (if possible at all) and I am unsure about
potential performance impact.

The best solution in my opinion would be to not perform XPath
evaluation in the parser, but instead use some stream parser and error
out if the parser encounteres an element with an unknown name.

The next best solution in my opinion is the one you reviewed. I agree
with all comments made that this is far from perfect, but at least it
would trigger visible test fails when / if new elements and attributes
are added without that list being expanded.

I will further explore whether it is possible to do node-only
validation without creating an include-everything schema, but I would
be grateful for any hint or suggestion in that direction. We should
have at least some error reporting in the case I described initially.

Thanks,
Tim
Re: [libvirt PATCH 0/3] cpu: Make unknown XML elements fail CPU comparison
Posted by Peter Krempa 3 years, 6 months ago
On Thu, Sep 17, 2020 at 15:20:18 +0200, Tim Wiederhake wrote:
> On Wed, 2020-09-16 at 14:48 +0100, Daniel P. Berrangé wrote:
> > On Wed, Sep 16, 2020 at 03:33:53PM +0200, Tim Wiederhake wrote:
> > > We currently ignore unknown elements in the CPU XML description,
> > > e.g. with vi=
> > > rsh
> > > cpu-compare and hypervisor-cpu-compare. This makes '<cpu><faeture
> > > name=3D"...=
> > > "/></cpu>'
> > > (note the typo in "faeture") semantically identic to '<cpu/>'. No
> > > error is re=
> > > ported.
> > 
> > This is an intentional implementation choice in libvirt. The XML
> > documents
> > that we're parsing are way to large and complex for us to justify
> > adding
> > code to report errors for every invalid attribute or child element
> > name.
> >
> > We provide an RNG schema, however, which declares the valid set of
> > attrs
> > and thus by running RNG schema validation, a client can get a error
> > report
> > of invalid info.
> > 
> > We enable this validation by default in "virsh edit" and a few other
> > similar commands.
> > 
> > There are certainly libvirt APIs though which accept XML and don't
> > have
> > a flag defined to enable RNG schema validation. I presume the CPU
> > APIs
> > are one such case.  We should add support for validation to all such
> > APIs accepting XML documents, and wire it up in virsh.
> > 
> > Regards,
> > Daniel
> 
> Hi Daniel, all,
> 
> thanks for the input!
> 
> My first attempt at the problem I described did in fact employ RNG
> schema validation on the xml documents describing the CPU. The problem
> though with that approach is that `virsh [hypervisor-]cpu-compare` can
> consume quite different xml documents. The tests add more possible
> document types, e.g. multicpu, which force the schema for a validation
> performed in `virCPUDefParseXML` to basically import all other schemas
> (which produced some naming conflicts that I was unable to solve) and,
> secondly, perform a lot of unneccessary validation.
> 
> I created a schema that would perform only a check for "unknown"
> elements and attributes in the cpu element and ignore everything else.
> I attached this for your entertainment. There you can see what I meant
> with "different xml documents".

IMO that would not be very useful. The premise of rejecting just unknown
elements itself as described by the bug is IMO flawed and not very
useful.

Fixing this bug makes only sense when we actually validate the whole
schema.

> Copying / moving the node into a new document just for validation seems
> not like an elegant solution (if possible at all) and I am unsure about
> potential performance impact.

IMO the CPU comparison APIs aren't on any hot path so wasting a few
cycles here especially only when enabled by an API flag (since
validation must be enabled only as an opt-in as we were accepting broken
XMLs before, if they had valid parts in them) seems to be better than
the proposed solution with ad-hoc code validator.

> The best solution in my opinion would be to not perform XPath
> evaluation in the parser, but instead use some stream parser and error
> out if the parser encounteres an element with an unknown name.

libxml doesn't seem to support such mode. Inventing a new parser just
for this is a waste of time.

> The next best solution in my opinion is the one you reviewed. I agree
> with all comments made that this is far from perfect, but at least it
> would trigger visible test fails when / if new elements and attributes
> are added without that list being expanded.

I disagree. IMO the next best solution after RNG validation is just not
fixing it at all. The bug itself doesn't warant inventing ad-hoc
solutions for just this special case.

> I will further explore whether it is possible to do node-only
> validation without creating an include-everything schema, but I would
> be grateful for any hint or suggestion in that direction. We should
> have at least some error reporting in the case I described initially.

I'd say don't bother with that.