On 12/5/19 5:08 PM, Jonathon Jongsma wrote:
We have to assume that the guest agent may be malicious, so we don't want to allow any agent queries to block any other libvirt API. By holding a monitor job and an agent job while we're querying the agent, any other threads will be blocked from using the monitor while the agent is unresponsive. Because libvirt waits forever for an agent response, this makes us vulnerable to a denial of service from a malicious (or simply buggy) guest agent. This series of patches attempts to remove any cases where we were holding both jobs at the same time, removes a convenience function which allows us to grab both jobs at once, and updates documentation regarding this issue. Jonathon Jongsma (8): qemu: don't take agent and monitor job for shutdown qemu: don't hold a monitor and agent job for reboot qemu: don't hold both jobs for suspend qemu: don't hold monitor and agent job when setting time qemu: don't hold monitor job for fsinfo qemu: don't hold monitor job for GetGuestInfo() qemu: remove use of qemuDomainObjBeginJobWithAgent() qemu: remove qemuDomainObjBegin/EndJobWithAgent() src/qemu/THREADS.txt | 58 +----- src/qemu/qemu_domain.c | 56 +----- src/qemu/qemu_domain.h | 7 - src/qemu/qemu_driver.c | 405 +++++++++++++++++++++++++---------------- 4 files changed, 258 insertions(+), 268 deletions(-)
ACK to all but 5/8 and 6/8. Also, I'm pushing patches 1-4 and 7. I'd push 8/8 also but we can't remove the function while it's still use :-D
Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
