[Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Daniel P. Berrangé posted 3 patches 23 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20180416111743.8473-1-berrange@redhat.com
Test checkpatch passed
Test docker-build@min-glib passed
Test docker-mingw@fedora passed
Test s390x passed
accel/accel.c          |  16 +++---
hw/i386/multiboot.c    |  33 +++++++----
include/qemu/option.h  |   3 +-
tests/test-qemu-opts.c |  18 ------
util/qemu-option.c     | 150 ++++++++++++++++++++++++++-----------------------
5 files changed, 108 insertions(+), 112 deletions(-)

[Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Daniel P. Berrangé 23 weeks ago
A user trying out SMBIOS "OEM strings" feature reported that the data
they are exposing to the guest was truncated at 1023 bytes, which breaks
the app consuming in the guest. After searching for the cause I
eventually found that the QemuOpts parsing is using fixed length 1024
byte array for option values and 128 byte array for key names.

We can certainly debate whether it is sane to have such long command
line argument values (it is not sane), but if the OS was capable of
exec'ing QEMU with such an ARGV array, there is little good reason for
imposing an artificial length restriction when parsing it. Even worse is
that we silently truncate without reporting an error when hitting limits
resulting in a semantically incorrect behaviour, possibly even leading
to security flaws depending on the data that was truncated.

Thus this patch series removes the artificial length limits by killing
the fixed length buffers.

Separately I intend to make it possible to read "OEM strings" data from
a file, to avoid need to have long command line args.

Daniel P. Berrangé (3):
  accel: use g_strsplit for parsing accelerator names
  opts: don't silently truncate long parameter keys
  opts: don't silently truncate long option values

 accel/accel.c          |  16 +++---
 hw/i386/multiboot.c    |  33 +++++++----
 include/qemu/option.h  |   3 +-
 tests/test-qemu-opts.c |  18 ------
 util/qemu-option.c     | 150 ++++++++++++++++++++++++++-----------------------
 5 files changed, 108 insertions(+), 112 deletions(-)

-- 
2.14.3


Re: [Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Paolo Bonzini 23 weeks ago
On 16/04/2018 13:17, Daniel P. Berrangé wrote:
> A user trying out SMBIOS "OEM strings" feature reported that the data
> they are exposing to the guest was truncated at 1023 bytes, which breaks
> the app consuming in the guest. After searching for the cause I
> eventually found that the QemuOpts parsing is using fixed length 1024
> byte array for option values and 128 byte array for key names.
> 
> We can certainly debate whether it is sane to have such long command
> line argument values (it is not sane), but if the OS was capable of
> exec'ing QEMU with such an ARGV array, there is little good reason for
> imposing an artificial length restriction when parsing it. Even worse is
> that we silently truncate without reporting an error when hitting limits
> resulting in a semantically incorrect behaviour, possibly even leading
> to security flaws depending on the data that was truncated.
> 
> Thus this patch series removes the artificial length limits by killing
> the fixed length buffers.
> 
> Separately I intend to make it possible to read "OEM strings" data from
> a file, to avoid need to have long command line args.
> 
> Daniel P. Berrangé (3):
>   accel: use g_strsplit for parsing accelerator names
>   opts: don't silently truncate long parameter keys
>   opts: don't silently truncate long option values
> 
>  accel/accel.c          |  16 +++---
>  hw/i386/multiboot.c    |  33 +++++++----
>  include/qemu/option.h  |   3 +-
>  tests/test-qemu-opts.c |  18 ------
>  util/qemu-option.c     | 150 ++++++++++++++++++++++++++-----------------------
>  5 files changed, 108 insertions(+), 112 deletions(-)
> 

Queued, thanks.

Paolo

Re: [Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Markus Armbruster 23 weeks ago
Daniel P. Berrangé <berrange@redhat.com> writes:

> A user trying out SMBIOS "OEM strings" feature reported that the data
> they are exposing to the guest was truncated at 1023 bytes, which breaks
> the app consuming in the guest. After searching for the cause I
> eventually found that the QemuOpts parsing is using fixed length 1024
> byte array for option values and 128 byte array for key names.
>
> We can certainly debate whether it is sane to have such long command
> line argument values (it is not sane), but if the OS was capable of
> exec'ing QEMU with such an ARGV array, there is little good reason for
> imposing an artificial length restriction when parsing it. Even worse is
> that we silently truncate without reporting an error when hitting limits
> resulting in a semantically incorrect behaviour, possibly even leading
> to security flaws depending on the data that was truncated.
>
> Thus this patch series removes the artificial length limits by killing
> the fixed length buffers.
>
> Separately I intend to make it possible to read "OEM strings" data from
> a file, to avoid need to have long command line args.

Too bad I haven't been able to complete my quest to kill QemuOpts.

As far as I know, keyval.c's only arbitrary limit is the length of a key
fragment (the things separated by '.').

Re: [Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Daniel P. Berrangé 23 weeks ago
On Mon, Apr 16, 2018 at 06:30:45PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
> 
> > A user trying out SMBIOS "OEM strings" feature reported that the data
> > they are exposing to the guest was truncated at 1023 bytes, which breaks
> > the app consuming in the guest. After searching for the cause I
> > eventually found that the QemuOpts parsing is using fixed length 1024
> > byte array for option values and 128 byte array for key names.
> >
> > We can certainly debate whether it is sane to have such long command
> > line argument values (it is not sane), but if the OS was capable of
> > exec'ing QEMU with such an ARGV array, there is little good reason for
> > imposing an artificial length restriction when parsing it. Even worse is
> > that we silently truncate without reporting an error when hitting limits
> > resulting in a semantically incorrect behaviour, possibly even leading
> > to security flaws depending on the data that was truncated.
> >
> > Thus this patch series removes the artificial length limits by killing
> > the fixed length buffers.
> >
> > Separately I intend to make it possible to read "OEM strings" data from
> > a file, to avoid need to have long command line args.
> 
> Too bad I haven't been able to complete my quest to kill QemuOpts.
> 
> As far as I know, keyval.c's only arbitrary limit is the length of a key
> fragment (the things separated by '.').

Looks like that's the same scenario I tried to address in patch 2. The
'key' part in QemuOpts has the same 128 byte limit as in the keyval.c
code. I fear that could be hit with -blockdev when setting params on
very deeply nested block backends.  On the plus side  keyval.c actually
reports an error when it hits its 128 byte limit, instead of silently
carrying on as if all was well like QemuOpts did :-)

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Markus Armbruster 23 weeks ago
Daniel P. Berrangé <berrange@redhat.com> writes:

> On Mon, Apr 16, 2018 at 06:30:45PM +0200, Markus Armbruster wrote:
>> Daniel P. Berrangé <berrange@redhat.com> writes:
>> 
>> > A user trying out SMBIOS "OEM strings" feature reported that the data
>> > they are exposing to the guest was truncated at 1023 bytes, which breaks
>> > the app consuming in the guest. After searching for the cause I
>> > eventually found that the QemuOpts parsing is using fixed length 1024
>> > byte array for option values and 128 byte array for key names.
>> >
>> > We can certainly debate whether it is sane to have such long command
>> > line argument values (it is not sane), but if the OS was capable of
>> > exec'ing QEMU with such an ARGV array, there is little good reason for
>> > imposing an artificial length restriction when parsing it. Even worse is
>> > that we silently truncate without reporting an error when hitting limits
>> > resulting in a semantically incorrect behaviour, possibly even leading
>> > to security flaws depending on the data that was truncated.
>> >
>> > Thus this patch series removes the artificial length limits by killing
>> > the fixed length buffers.
>> >
>> > Separately I intend to make it possible to read "OEM strings" data from
>> > a file, to avoid need to have long command line args.
>> 
>> Too bad I haven't been able to complete my quest to kill QemuOpts.
>> 
>> As far as I know, keyval.c's only arbitrary limit is the length of a key
>> fragment (the things separated by '.').
>
> Looks like that's the same scenario I tried to address in patch 2. The
> 'key' part in QemuOpts has the same 128 byte limit as in the keyval.c
> code. I fear that could be hit with -blockdev when setting params on
> very deeply nested block backends.  On the plus side  keyval.c actually
> reports an error when it hits its 128 byte limit, instead of silently
> carrying on as if all was well like QemuOpts did :-)

In keyval.c, the key (things like "a.b.c") can be arbitrarily long
(well, until g_malloc() throws in the towel), but each key fragment
("a", "b" and "c") is limited to 128 bytes.

If key length was limited there, I would've asked you to fix it there,
too.

Re: [Qemu-devel] [PATCH 0/3] Remove artificial length limits when parsing options

Posted by Daniel P. Berrangé 23 weeks ago
On Mon, Apr 16, 2018 at 08:13:42PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé <berrange@redhat.com> writes:
> 
> > On Mon, Apr 16, 2018 at 06:30:45PM +0200, Markus Armbruster wrote:
> >> Daniel P. Berrangé <berrange@redhat.com> writes:
> >> 
> >> > A user trying out SMBIOS "OEM strings" feature reported that the data
> >> > they are exposing to the guest was truncated at 1023 bytes, which breaks
> >> > the app consuming in the guest. After searching for the cause I
> >> > eventually found that the QemuOpts parsing is using fixed length 1024
> >> > byte array for option values and 128 byte array for key names.
> >> >
> >> > We can certainly debate whether it is sane to have such long command
> >> > line argument values (it is not sane), but if the OS was capable of
> >> > exec'ing QEMU with such an ARGV array, there is little good reason for
> >> > imposing an artificial length restriction when parsing it. Even worse is
> >> > that we silently truncate without reporting an error when hitting limits
> >> > resulting in a semantically incorrect behaviour, possibly even leading
> >> > to security flaws depending on the data that was truncated.
> >> >
> >> > Thus this patch series removes the artificial length limits by killing
> >> > the fixed length buffers.
> >> >
> >> > Separately I intend to make it possible to read "OEM strings" data from
> >> > a file, to avoid need to have long command line args.
> >> 
> >> Too bad I haven't been able to complete my quest to kill QemuOpts.
> >> 
> >> As far as I know, keyval.c's only arbitrary limit is the length of a key
> >> fragment (the things separated by '.').
> >
> > Looks like that's the same scenario I tried to address in patch 2. The
> > 'key' part in QemuOpts has the same 128 byte limit as in the keyval.c
> > code. I fear that could be hit with -blockdev when setting params on
> > very deeply nested block backends.  On the plus side  keyval.c actually
> > reports an error when it hits its 128 byte limit, instead of silently
> > carrying on as if all was well like QemuOpts did :-)
> 
> In keyval.c, the key (things like "a.b.c") can be arbitrarily long
> (well, until g_malloc() throws in the towel), but each key fragment
> ("a", "b" and "c") is limited to 128 bytes.
> 
> If key length was limited there, I would've asked you to fix it there,
> too.

Agreed, if only fragments are limited, that's fine because we know that
no code ever declares a key long enough to exceed the individual fragment
size.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|