[Qemu-devel] [Bug 1687653] [NEW] QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize

[Florian Strankowski]

*** This bug is a security vulnerability ***

Public security bug reported:

QEMU-KVM in combination with "detect_zeroes=on" makes a Guest able to
DoS the Host. This is possible if the Host itself has "detect_zeroes"
enabled and the Guest writes a large Chunk of data with a huge blocksize
onto the drive.

E.g.: dd if=/dev/zero of=/tmp/DoS bs=1G count=1 oflag=direct

All QEMU-Versions after implementation of detect_zeroes are affected.
Prior are unaffected. This is absolutely critical, please fix this ASAP!

#####

Provided by Dominik Csapak:

source    , bs   , count     ,    O_DIRECT, behaviour

urandom   , bs 1M, count 1024,    O_DIRECT: OK
file      , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1M, count 1024,    O_DIRECT: OK
zero file , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1G, count    1,    O_DIRECT: NOT OK
zero file , bs 1G, count    1,    O_DIRECT: NOT OK
zero file , bs 1G, count    1, no O_DIRECT: NOT OK
rand file , bs 1G, count    1,    O_DIRECT: OK
rand file , bs 1G, count    1, no O_DIRECT: OK

discard on:

urandom   , bs 1M, count 1024,    O_DIRECT: OK
rand file , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1M, count 1024,    O_DIRECT: OK
zero file , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1G, count    1,    O_DIRECT: NOT OK
zero file , bs 1G, count    1,    O_DIRECT: NOT OK
zero file , bs 1G, count    1, no O_DIRECT: NOT OK
rand file , bs 1G, count    1,    O_DIRECT: OK
rand file , bs 1G, count    1, no O_DIRECT: OK

detect_zeros off:

urandom   , bs 1M, count 1024,    O_DIRECT: OK
rand file , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1M, count 1024,    O_DIRECT: OK
zero file , bs 1M, count 1024,    O_DIRECT: OK
/dev/zero , bs 1G, count    1,    O_DIRECT: OK
zero file , bs 1G, count    1,    O_DIRECT: OK
zero file , bs 1G, count    1, no O_DIRECT: OK
rand file , bs 1G, count    1,    O_DIRECT: OK
rand file , bs 1G, count    1, no O_DIRECT: OK

#####

Provided by Florian Strankowski

bs   -    count   -    io-threads

512K -    2048    -    2
1M   -    1024    -    2
2M   -     512    -    4
4M   -     256    -    6
8M   -     128    -    10
16M  -      64    -    18
32M  -      32    -    uncountable

Please refer to further information here:

https://bugzilla.proxmox.com/show_bug.cgi?id=1368

** Affects: qemu
     Importance: Undecided
         Status: Confirmed


** Tags: critical denial dos of service vuln

** Attachment added: "damn.png"
   https://bugs.launchpad.net/bugs/1687653/+attachment/4870894/+files/damn.png

** Information type changed from Private Security to Public

** Information type changed from Public to Public Security

** Information type changed from Public Security to Private Security

** Information type changed from Private Security to Public Security

** Changed in: qemu
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1687653

Title:
  QEMU-KVM / detect_zeroes causes KVM to start unlimited number of
  threads on Guest-Sided High-IO with big Blocksize

Status in QEMU:
  Confirmed

Bug description:
  QEMU-KVM in combination with "detect_zeroes=on" makes a Guest able to
  DoS the Host. This is possible if the Host itself has "detect_zeroes"
  enabled and the Guest writes a large Chunk of data with a huge
  blocksize onto the drive.

  E.g.: dd if=/dev/zero of=/tmp/DoS bs=1G count=1 oflag=direct

  All QEMU-Versions after implementation of detect_zeroes are affected.
  Prior are unaffected. This is absolutely critical, please fix this
  ASAP!

  #####

  Provided by Dominik Csapak:

  source    , bs   , count     ,    O_DIRECT, behaviour

  urandom   , bs 1M, count 1024,    O_DIRECT: OK
  file      , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1M, count 1024,    O_DIRECT: OK
  zero file , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1G, count    1,    O_DIRECT: NOT OK
  zero file , bs 1G, count    1,    O_DIRECT: NOT OK
  zero file , bs 1G, count    1, no O_DIRECT: NOT OK
  rand file , bs 1G, count    1,    O_DIRECT: OK
  rand file , bs 1G, count    1, no O_DIRECT: OK

  discard on:

  urandom   , bs 1M, count 1024,    O_DIRECT: OK
  rand file , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1M, count 1024,    O_DIRECT: OK
  zero file , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1G, count    1,    O_DIRECT: NOT OK
  zero file , bs 1G, count    1,    O_DIRECT: NOT OK
  zero file , bs 1G, count    1, no O_DIRECT: NOT OK
  rand file , bs 1G, count    1,    O_DIRECT: OK
  rand file , bs 1G, count    1, no O_DIRECT: OK

  detect_zeros off:

  urandom   , bs 1M, count 1024,    O_DIRECT: OK
  rand file , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1M, count 1024,    O_DIRECT: OK
  zero file , bs 1M, count 1024,    O_DIRECT: OK
  /dev/zero , bs 1G, count    1,    O_DIRECT: OK
  zero file , bs 1G, count    1,    O_DIRECT: OK
  zero file , bs 1G, count    1, no O_DIRECT: OK
  rand file , bs 1G, count    1,    O_DIRECT: OK
  rand file , bs 1G, count    1, no O_DIRECT: OK

  #####

  Provided by Florian Strankowski

  bs   -    count   -    io-threads

  512K -    2048    -    2
  1M   -    1024    -    2
  2M   -     512    -    4
  4M   -     256    -    6
  8M   -     128    -    10
  16M  -      64    -    18
  32M  -      32    -    uncountable

  Please refer to further information here:

  https://bugzilla.proxmox.com/show_bug.cgi?id=1368

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1687653/+subscriptions