[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1687653] [NEW] QEMU-KVM / detect_zeroes causes KVM to
From: |
Florian Strankowski |
Subject: |
[Qemu-devel] [Bug 1687653] [NEW] QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize |
Date: |
Tue, 02 May 2017 15:53:11 -0000 |
*** This bug is a security vulnerability ***
Public security bug reported:
QEMU-KVM in combination with "detect_zeroes=on" makes a Guest able to
DoS the Host. This is possible if the Host itself has "detect_zeroes"
enabled and the Guest writes a large Chunk of data with a huge blocksize
onto the drive.
E.g.: dd if=/dev/zero of=/tmp/DoS bs=1G count=1 oflag=direct
All QEMU-Versions after implementation of detect_zeroes are affected.
Prior are unaffected. This is absolutely critical, please fix this ASAP!
#####
Provided by Dominik Csapak:
source , bs , count , O_DIRECT, behaviour
urandom , bs 1M, count 1024, O_DIRECT: OK
file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
discard on:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
detect_zeros off:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, no O_DIRECT: OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
#####
Provided by Florian Strankowski
bs - count - io-threads
512K - 2048 - 2
1M - 1024 - 2
2M - 512 - 4
4M - 256 - 6
8M - 128 - 10
16M - 64 - 18
32M - 32 - uncountable
Please refer to further information here:
https://bugzilla.proxmox.com/show_bug.cgi?id=1368
** Affects: qemu
Importance: Undecided
Status: Confirmed
** Tags: critical denial dos of service vuln
** Attachment added: "damn.png"
https://bugs.launchpad.net/bugs/1687653/+attachment/4870894/+files/damn.png
** Information type changed from Private Security to Public
** Information type changed from Public to Public Security
** Information type changed from Public Security to Private Security
** Information type changed from Private Security to Public Security
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1687653
Title:
QEMU-KVM / detect_zeroes causes KVM to start unlimited number of
threads on Guest-Sided High-IO with big Blocksize
Status in QEMU:
Confirmed
Bug description:
QEMU-KVM in combination with "detect_zeroes=on" makes a Guest able to
DoS the Host. This is possible if the Host itself has "detect_zeroes"
enabled and the Guest writes a large Chunk of data with a huge
blocksize onto the drive.
E.g.: dd if=/dev/zero of=/tmp/DoS bs=1G count=1 oflag=direct
All QEMU-Versions after implementation of detect_zeroes are affected.
Prior are unaffected. This is absolutely critical, please fix this
ASAP!
#####
Provided by Dominik Csapak:
source , bs , count , O_DIRECT, behaviour
urandom , bs 1M, count 1024, O_DIRECT: OK
file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
discard on:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
detect_zeros off:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, no O_DIRECT: OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
#####
Provided by Florian Strankowski
bs - count - io-threads
512K - 2048 - 2
1M - 1024 - 2
2M - 512 - 4
4M - 256 - 6
8M - 128 - 10
16M - 64 - 18
32M - 32 - uncountable
Please refer to further information here:
https://bugzilla.proxmox.com/show_bug.cgi?id=1368
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1687653/+subscriptions
- [Qemu-devel] [Bug 1687653] [NEW] QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize,
Florian Strankowski <=
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Florian Strankowski, 2017/05/02
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Florian Strankowski, 2017/05/02
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Florian Strankowski, 2017/05/02
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Launchpad Bug Tracker, 2017/05/03
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Stefan Hajnoczi, 2017/05/03
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Florian Strankowski, 2017/05/03
- [Qemu-devel] [Bug 1687653] Re: QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize, Stefan Hajnoczi, 2017/05/03