[PATCH 2/2] qemu_process: Start QEMU for caps probing more robustly

Thu Mar 17 16:15:04 UTC 2022

On Wed, Mar 16, 2022 at 04:39:36PM +0100, Michal Privoznik wrote:
>When probing QEMU capabilities, we look at whatever <emulator/>
>was specified in the domain XML and execute it with couple of
>arguments (-daemonize being one of them) Then, we use
>virCommandSetErrorBuffer() to read stderr of the child process
>hoping to read possible error message just before the process
>daemonized itself. Well, this works as long as the emulator
>binary behaves.
>
>If the binary is evil and basically does the following:
>
>  #!/bin/bash
>  sleep 1h
>
>then virCommandRun() called from qemuProcessQMPLaunch() doesn't
>return for whole hour (because it's stuck in reading stderr of
>the child process). This behavior of ours is very suboptimal.
>
>The solution is to not rely on the binary behaving correctly on
>-daemonize argument but to daemonize the process ourselves (via
>virCommandDaemonize()) and then wait for the monitor to show up
>with a timeout. This in turn means, that we can no longer use
>virCommandSetErrorBuffer() but we can do the equivalent with
>virCommandSetErrorFD() and a bit of code.
>
>Sure, this doesn't shield us from malicious binaries 100% but
>helps preventing depletion of worker threads.
>
>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>---
> src/qemu/qemu_process.c | 58 +++++++++++++++++++++++++++++------------
> src/qemu/qemu_process.h |  1 -
> 2 files changed, 42 insertions(+), 17 deletions(-)
>
>diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
>index 2e149699b0..d038f7e2ae 100644
>--- a/src/qemu/qemu_process.c
>+++ b/src/qemu/qemu_process.c
>@@ -9166,7 +9166,6 @@ qemuProcessQMPFree(qemuProcessQMP *proc)
>     g_free(proc->monpath);
>     g_free(proc->monarg);
>     g_free(proc->pidfile);
>-    g_free(proc->stdErr);
>     g_free(proc);
> }
>
>@@ -9285,7 +9284,9 @@ static int
> qemuProcessQMPLaunch(qemuProcessQMP *proc)
> {
>     const char *machine;
>-    int status = 0;
>+    VIR_AUTOCLOSE errfd = -1;
>+    virTimeBackOffVar timebackoff;
>+    const unsigned long long timeout = 30 * 1000; /* ms */

The comment seems misleading, just say it is 30 seconds.  On that note,
30 seconds feels too much for me, but that's always subjective.

This patch also invalidates comment in qemuProcessQMPInit() about
-daemonize.  With those two things fixed

Reviewed-by: Martin Kletzander <mkletzan at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220317/238b288a/attachment.sig>