From: Stefan Hajnoczi <stefanha@gmail.com>
To: Ashijeet Acharya <ashijeetacharya@gmail.com>
Cc: kwolf@redhat.com, jsnow@redhat.com, mreitz@redhat.com,
famz@redhat.com, peter@lekensteyn.nl, qemu-devel@nongnu.org,
qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2 0/7] Refactor DMG driver to have chunk size independence
Date: Fri, 5 May 2017 14:59:31 +0100 [thread overview]
Message-ID: <20170505135931.GH11350@stefanha-x1.localdomain> (raw)
In-Reply-To: <1493280397-9622-1-git-send-email-ashijeetacharya@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]
On Thu, Apr 27, 2017 at 01:36:30PM +0530, Ashijeet Acharya wrote:
> This series helps to provide chunk size independence for DMG driver to prevent
> denial-of-service in cases where untrusted files are being accessed by the user.
The core of the chunk size dependence problem are these lines:
s->compressed_chunk = qemu_try_blockalign(bs->file->bs,
ds.max_compressed_size + 1);
s->uncompressed_chunk = qemu_try_blockalign(bs->file->bs,
512 * ds.max_sectors_per_chunk);
The refactoring needs to eliminate these buffers because their size is
controlled by the untrusted input file.
After applying your patches these lines remain unchanged and we still
cannot use input files that have a 250 MB chunk size, for example. So
I'm not sure how this series is supposed to work.
Here is the approach I would take:
In order to achieve this dmg_read_chunk() needs to be scrapped. It is
designed to read a full chunk. The new model does not read full chunks
anymore.
Uncompressed reads or zeroes should operate directly on qiov, not
s->uncompressed_chunk. This code will be dropped:
data = s->uncompressed_chunk + sector_offset_in_chunk * 512;
qemu_iovec_from_buf(qiov, i * 512, data, 512);
Compressed reads still buffers. I suggest the following buffers:
1. compressed_buf - compressed data is read into this buffer from file
2. uncompressed_buf - a place to discard decompressed data while
simulating a seek operation
Data is read from compressed chunks by reading a reasonable amount
(64k?) into compressed_buf. If the user wishes to read at an offset
into this chunk then a loop decompresses data we are seeking over into
uncompressed_buf (and refills compressed_buf if it becomes empty) until
the desired offset is reached. Then decompression can continue
directly into the user's qiov and uncompressed_buf isn't used to
decompress the data requested by the user.
Sequential compressed reads can be optimized by keeping the compression
state across read calls. That means the zlib/bz2 state plus
compressed_buf and the current offset. That way we don't need to
re-seek into the current compressed chunk to handle sequential reads.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2017-05-05 13:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-27 8:06 [Qemu-devel] [PATCH v2 0/7] Refactor DMG driver to have chunk size independence Ashijeet Acharya
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 1/7] dmg: Introduce a new struct to cache random access points Ashijeet Acharya
2017-05-05 13:12 ` Stefan Hajnoczi
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 2/7] dmg: New function to help us cache random access point Ashijeet Acharya
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 3/7] dmg: Refactor and prepare dmg_read_chunk() to cache random access points Ashijeet Acharya
2017-05-05 13:33 ` Stefan Hajnoczi
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 4/7] dmg: Handle zlib compressed chunks Ashijeet Acharya
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 5/7] dmg: Handle bz2 compressed/raw/zeroed chunks Ashijeet Acharya
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 6/7] dmg: Refactor dmg_co_preadv() to start reading multiple sectors Ashijeet Acharya
2017-04-27 8:06 ` [Qemu-devel] [PATCH v2 7/7] dmg: Limit the output buffer size to a max of 2MB Ashijeet Acharya
2017-04-27 20:59 ` [Qemu-devel] [PATCH v2 0/7] Refactor DMG driver to have chunk size independence Ashijeet Acharya
2017-05-05 13:06 ` Stefan Hajnoczi
2017-05-05 13:59 ` Stefan Hajnoczi [this message]
2017-08-20 12:47 ` Ashijeet Acharya
2017-08-29 15:25 ` Stefan Hajnoczi
2017-08-30 13:02 ` Ashijeet Acharya
2017-09-05 10:58 ` Stefan Hajnoczi
2017-09-05 11:09 ` Ashijeet Acharya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170505135931.GH11350@stefanha-x1.localdomain \
--to=stefanha@gmail.com \
--cc=ashijeetacharya@gmail.com \
--cc=famz@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=peter@lekensteyn.nl \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.