* [Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices. @ 2018-10-25 8:52 Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-25 8:52 UTC (permalink / raw) To: qemu-devel; +Cc: libvir-list, Gerd Hoffmann, Prasad J Pandit Works simliar to machine types, by adding a deprecation_reason field (using the same name for easy grepping). Also deprecate two devices: adlib and cirrus. This is tagged as RfC because the deprecation notice is not added to introspecction yet. Gerd Hoffmann (3): qdev: add deprecation_reason to DeviceClass adlib: mark as insecure and deprecated. cirrus: mark as deprecated hw/audio/adlib.c | 1 + hw/core/qdev.c | 9 ++++++++- hw/display/cirrus_vga.c | 2 ++ hw/display/cirrus_vga_isa.c | 2 ++ include/hw/qdev-core.h | 1 + qdev-monitor.c | 7 +++++++ qemu-deprecated.texi | 8 ++++++++ 7 files changed, 29 insertions(+), 1 deletion(-) -- 2.9.3 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass 2018-10-25 8:52 [Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices Gerd Hoffmann @ 2018-10-25 8:52 ` Gerd Hoffmann 2018-10-25 10:50 ` P J P 2018-10-25 11:12 ` Philippe Mathieu-Daudé 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann 2 siblings, 2 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-25 8:52 UTC (permalink / raw) To: qemu-devel; +Cc: libvir-list, Gerd Hoffmann, Prasad J Pandit Simliar to deprecated machine types. Print a warning when creating a deprecated device. Add deprecation notice to -device help. TODO: add to intospection. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/core/qdev.c | 9 ++++++++- include/hw/qdev-core.h | 1 + qdev-monitor.c | 7 +++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/hw/core/qdev.c b/hw/core/qdev.c index 046d8f1..3b27a74 100644 --- a/hw/core/qdev.c +++ b/hw/core/qdev.c @@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name) DeviceState *qdev_try_create(BusState *bus, const char *type) { + DeviceClass *dc; DeviceState *dev; - if (object_class_by_name(type) == NULL) { + dc = DEVICE_CLASS(object_class_by_name(type)); + if (dc == NULL) { return NULL; } + if (dc->deprecation_reason) { + warn_report("device %s is deprecated (%s)", + type, dc->deprecation_reason); + } + dev = DEVICE(object_new(type)); if (!dev) { return NULL; diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h index a24d0dd..a352eaa 100644 --- a/include/hw/qdev-core.h +++ b/include/hw/qdev-core.h @@ -105,6 +105,7 @@ typedef struct DeviceClass { */ bool user_creatable; bool hotpluggable; + const char *deprecation_reason; /* callbacks */ DeviceReset reset; diff --git a/qdev-monitor.c b/qdev-monitor.c index 802c18a..bbba2bc 100644 --- a/qdev-monitor.c +++ b/qdev-monitor.c @@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc) if (!dc->user_creatable) { out_printf(", no-user"); } + if (!dc->deprecation_reason) { + out_printf(", deprecated"); + } out_printf("\n"); } @@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp) if (!dc) { return NULL; } + if (dc->deprecation_reason) { + warn_report("device %s is deprecated (%s)", + driver, dc->deprecation_reason); + } /* find bus */ path = qemu_opt_get(opts, "bus"); -- 2.9.3 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann @ 2018-10-25 10:50 ` P J P 2018-10-25 11:12 ` Philippe Mathieu-Daudé 1 sibling, 0 replies; 35+ messages in thread From: P J P @ 2018-10-25 10:50 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: qemu-devel, libvir-list +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | Simliar to deprecated machine types. | Print a warning when creating a deprecated device. | Add deprecation notice to -device help. | | TODO: add to intospection. s/intospection/introspection ..? | diff --git a/hw/core/qdev.c b/hw/core/qdev.c | index 046d8f1..3b27a74 100644 | --- a/hw/core/qdev.c | +++ b/hw/core/qdev.c | @@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name) | | DeviceState *qdev_try_create(BusState *bus, const char *type) | { | + DeviceClass *dc; | DeviceState *dev; | | - if (object_class_by_name(type) == NULL) { | + dc = DEVICE_CLASS(object_class_by_name(type)); | + if (dc == NULL) { | return NULL; | } | + if (dc->deprecation_reason) { | + warn_report("device %s is deprecated (%s)", | + type, dc->deprecation_reason); | + } | + | dev = DEVICE(object_new(type)); | if (!dev) { | return NULL; | diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h | index a24d0dd..a352eaa 100644 | --- a/include/hw/qdev-core.h | +++ b/include/hw/qdev-core.h | @@ -105,6 +105,7 @@ typedef struct DeviceClass { | */ | bool user_creatable; | bool hotpluggable; | + const char *deprecation_reason; | | /* callbacks */ | DeviceReset reset; | diff --git a/qdev-monitor.c b/qdev-monitor.c | index 802c18a..bbba2bc 100644 | --- a/qdev-monitor.c | +++ b/qdev-monitor.c | @@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc) | if (!dc->user_creatable) { | out_printf(", no-user"); | } | + if (!dc->deprecation_reason) { | + out_printf(", deprecated"); | + } | out_printf("\n"); | } | | @@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp) | if (!dc) { | return NULL; | } | + if (dc->deprecation_reason) { | + warn_report("device %s is deprecated (%s)", | + driver, dc->deprecation_reason); | + } | | /* find bus */ | path = qemu_opt_get(opts, "bus"); | Looks good. Should 'deprecation_reason' be listed in qdev_device_help()? Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann 2018-10-25 10:50 ` P J P @ 2018-10-25 11:12 ` Philippe Mathieu-Daudé 2018-10-29 9:19 ` Gerd Hoffmann 1 sibling, 1 reply; 35+ messages in thread From: Philippe Mathieu-Daudé @ 2018-10-25 11:12 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit Hi Gerd, On 25/10/18 10:52, Gerd Hoffmann wrote: > Simliar to deprecated machine types. "Similar" > Print a warning when creating a deprecated device. > Add deprecation notice to -device help. > > TODO: add to intospection. "introspection" Do we want the TODO in the git history? > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/core/qdev.c | 9 ++++++++- > include/hw/qdev-core.h | 1 + > qdev-monitor.c | 7 +++++++ > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/hw/core/qdev.c b/hw/core/qdev.c > index 046d8f1..3b27a74 100644 > --- a/hw/core/qdev.c > +++ b/hw/core/qdev.c > @@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name) > > DeviceState *qdev_try_create(BusState *bus, const char *type) > { > + DeviceClass *dc; > DeviceState *dev; > > - if (object_class_by_name(type) == NULL) { > + dc = DEVICE_CLASS(object_class_by_name(type)); > + if (dc == NULL) { > return NULL; > } > + if (dc->deprecation_reason) { > + warn_report("device %s is deprecated (%s)", > + type, dc->deprecation_reason); > + } > + > dev = DEVICE(object_new(type)); > if (!dev) { > return NULL; > diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h > index a24d0dd..a352eaa 100644 > --- a/include/hw/qdev-core.h > +++ b/include/hw/qdev-core.h > @@ -105,6 +105,7 @@ typedef struct DeviceClass { > */ > bool user_creatable; > bool hotpluggable; > + const char *deprecation_reason; > > /* callbacks */ > DeviceReset reset; > diff --git a/qdev-monitor.c b/qdev-monitor.c > index 802c18a..bbba2bc 100644 > --- a/qdev-monitor.c > +++ b/qdev-monitor.c > @@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc) > if (!dc->user_creatable) { > out_printf(", no-user"); > } > + if (!dc->deprecation_reason) { This is the opposite condition: if (dc->deprecation_reason) { out_printf(", deprecated"); With it fixed: Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > + out_printf(", deprecated"); > + } > out_printf("\n"); > } > > @@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp) > if (!dc) { > return NULL; > } > + if (dc->deprecation_reason) { > + warn_report("device %s is deprecated (%s)", > + driver, dc->deprecation_reason); > + } > > /* find bus */ > path = qemu_opt_get(opts, "bus"); > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass 2018-10-25 11:12 ` Philippe Mathieu-Daudé @ 2018-10-29 9:19 ` Gerd Hoffmann 0 siblings, 0 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-29 9:19 UTC (permalink / raw) To: Philippe Mathieu-Daudé; +Cc: qemu-devel, libvir-list, Prasad J Pandit On Thu, Oct 25, 2018 at 01:12:15PM +0200, Philippe Mathieu-Daudé wrote: > Hi Gerd, > > On 25/10/18 10:52, Gerd Hoffmann wrote: > > Simliar to deprecated machine types. > > "Similar" > > > Print a warning when creating a deprecated device. > > Add deprecation notice to -device help. > > > > TODO: add to intospection. > > "introspection" > > Do we want the TODO in the git history? No. It's RfC because of the missing introspection bits ;) cheers, Gerd ^ permalink raw reply [flat|nested] 35+ messages in thread
* [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 8:52 [Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann @ 2018-10-25 8:52 ` Gerd Hoffmann 2018-10-25 10:56 ` P J P ` (3 more replies) 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann 2 siblings, 4 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-25 8:52 UTC (permalink / raw) To: qemu-devel; +Cc: libvir-list, Gerd Hoffmann, Prasad J Pandit We have a lovely, guest-triggerable buffer overflow in opl2 emulation. Reproducer: outw(0xff60, 0x220); outw(0x1020, 0x220); outw(0xffb0, 0x220); Result: Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf) are rather sparse, possibly incomplete (looks like scanned fax with a scrambled page at the end) and not really helpful in identifying which of the register writes sets some illegal value. So, go tag the device as deprecated with a warning messge, to notify users and schedule it for removal according to our deprecation policy. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/audio/adlib.c | 1 + qemu-deprecated.texi | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c index 97b876c..fb4a29c 100644 --- a/hw/audio/adlib.c +++ b/hw/audio/adlib.c @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) set_bit(DEVICE_CATEGORY_SOUND, dc->categories); dc->desc = ADLIB_DESC; dc->props = adlib_properties; + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; } static const TypeInfo adlib_info = { diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi index 11b870c..7951a4f 100644 --- a/qemu-deprecated.texi +++ b/qemu-deprecated.texi @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' or ``ivshmem-doorbell`` device types. +@subsection adlib (since 3.1) + +Has known buffer overflow. + @section System emulator machines @subsection pc-0.10 and pc-0.11 (since 3.0) -- 2.9.3 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann @ 2018-10-25 10:56 ` P J P 2018-10-25 20:40 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé 2018-10-25 11:15 ` [Qemu-devel] " Philippe Mathieu-Daudé ` (2 subsequent siblings) 3 siblings, 1 reply; 35+ messages in thread From: P J P @ 2018-10-25 10:56 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: qemu-devel, libvir-list +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | | Reproducer: | outw(0xff60, 0x220); | outw(0x1020, 0x220); | outw(0xffb0, 0x220); | Result: | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) + Reported-by: Wangjunqing <wangjunqing@huawei.com> | diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c | index 97b876c..fb4a29c 100644 | --- a/hw/audio/adlib.c | +++ b/hw/audio/adlib.c | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) | set_bit(DEVICE_CATEGORY_SOUND, dc->categories); | dc->desc = ADLIB_DESC; | dc->props = adlib_properties; | + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; | } | | static const TypeInfo adlib_info = { | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi | index 11b870c..7951a4f 100644 | --- a/qemu-deprecated.texi | +++ b/qemu-deprecated.texi | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and | The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' | or ``ivshmem-doorbell`` device types. | | +@subsection adlib (since 3.1) | + | +Has known buffer overflow. | + | @section System emulator machines | | @subsection pc-0.10 and pc-0.11 (since 3.0) Okay. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 10:56 ` P J P @ 2018-10-25 20:40 ` Daniel P. Berrangé 2018-10-26 7:08 ` P J P 0 siblings, 1 reply; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-25 20:40 UTC (permalink / raw) To: P J P; +Cc: Gerd Hoffmann, libvir-list, qemu-devel On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote: > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > | > | Reproducer: > | outw(0xff60, 0x220); > | outw(0x1020, 0x220); > | outw(0xffb0, 0x220); > | Result: > | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) > > + Reported-by: Wangjunqing <wangjunqing@huawei.com> So you have a CVE number for this ? If so, it should be referenced in the commit message too, even if we can't fix the problem. > | diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c > | index 97b876c..fb4a29c 100644 > | --- a/hw/audio/adlib.c > | +++ b/hw/audio/adlib.c > | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) > | set_bit(DEVICE_CATEGORY_SOUND, dc->categories); > | dc->desc = ADLIB_DESC; > | dc->props = adlib_properties; > | + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; > | } > | > | static const TypeInfo adlib_info = { > | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > | index 11b870c..7951a4f 100644 > | --- a/qemu-deprecated.texi > | +++ b/qemu-deprecated.texi > | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and > | The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' > | or ``ivshmem-doorbell`` device types. > | > | +@subsection adlib (since 3.1) > | + > | +Has known buffer overflow. It would be good to give a recommendation to a better choice to replace its usage > | + > | @section System emulator machines > | > | @subsection pc-0.10 and pc-0.11 (since 3.0) Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 20:40 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé @ 2018-10-26 7:08 ` P J P 2018-10-26 9:54 ` Daniel P. Berrangé 0 siblings, 1 reply; 35+ messages in thread From: P J P @ 2018-10-26 7:08 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: Gerd Hoffmann, libvir-list, qemu-devel +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ | On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote: | > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | > | | > | Reproducer: | > | outw(0xff60, 0x220); | > | outw(0x1020, 0x220); | > | outw(0xffb0, 0x220); | > | Result: | > | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) | > | > + Reported-by: Wangjunqing <wangjunqing@huawei.com> | | So you have a CVE number for this ? No, since the adlib device is not used as much and is being deprecated, I'm not inclined to get one. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 7:08 ` P J P @ 2018-10-26 9:54 ` Daniel P. Berrangé 2018-10-26 12:35 ` P J P 0 siblings, 1 reply; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-26 9:54 UTC (permalink / raw) To: P J P; +Cc: Gerd Hoffmann, libvir-list, qemu-devel On Fri, Oct 26, 2018 at 12:38:53PM +0530, P J P wrote: > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ > | On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote: > | > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ > | > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > | > | > | > | Reproducer: > | > | outw(0xff60, 0x220); > | > | outw(0x1020, 0x220); > | > | outw(0xffb0, 0x220); > | > | Result: > | > | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) > | > > | > + Reported-by: Wangjunqing <wangjunqing@huawei.com> > | > | So you have a CVE number for this ? > > No, since the adlib device is not used as much and is being deprecated, I'm > not inclined to get one. Any security issue that affects code in QEMU that is currently being shipped by distros should have a CVE. Whether we intend to deprecate & delete it later should not be a factor because we are free to cancel the deprecation process at any time if we find a reason to keep the feature around. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 9:54 ` Daniel P. Berrangé @ 2018-10-26 12:35 ` P J P 0 siblings, 0 replies; 35+ messages in thread From: P J P @ 2018-10-26 12:35 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: Gerd Hoffmann, libvir-list, qemu-devel +-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+ | > No, since the adlib device is not used as much and is being deprecated, I'm | > not inclined to get one. | | Any security issue that affects code in QEMU that is currently being | shipped by distros should have a CVE. | | Whether we intend to deprecate & delete it later should not be a factor | because we are free to cancel the deprecation process at any time if we | find a reason to keep the feature around. Okay, will follow up with a CVE process. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann 2018-10-25 10:56 ` P J P @ 2018-10-25 11:15 ` Philippe Mathieu-Daudé 2018-10-25 20:27 ` Thomas Huth 2018-10-26 8:48 ` Paolo Bonzini 3 siblings, 0 replies; 35+ messages in thread From: Philippe Mathieu-Daudé @ 2018-10-25 11:15 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit On 25/10/18 10:52, Gerd Hoffmann wrote: > We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > > Reproducer: > outw(0xff60, 0x220); > outw(0x1020, 0x220); > outw(0xffb0, 0x220); > Result: > Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) > > The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf) > are rather sparse, possibly incomplete (looks like scanned fax with a > scrambled page at the end) and not really helpful in identifying which > of the register writes sets some illegal value. > > So, go tag the device as deprecated with a warning messge, to notify "warning message" > users and schedule it for removal according to our deprecation policy. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/audio/adlib.c | 1 + > qemu-deprecated.texi | 4 ++++ > 2 files changed, 5 insertions(+) > > diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c > index 97b876c..fb4a29c 100644 > --- a/hw/audio/adlib.c > +++ b/hw/audio/adlib.c > @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) > set_bit(DEVICE_CATEGORY_SOUND, dc->categories); > dc->desc = ADLIB_DESC; > dc->props = adlib_properties; > + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; > } > > static const TypeInfo adlib_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 11b870c..7951a4f 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and > The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' > or ``ivshmem-doorbell`` device types. > > +@subsection adlib (since 3.1) > + > +Has known buffer overflow. > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann 2018-10-25 10:56 ` P J P 2018-10-25 11:15 ` [Qemu-devel] " Philippe Mathieu-Daudé @ 2018-10-25 20:27 ` Thomas Huth 2018-10-26 8:48 ` Paolo Bonzini 3 siblings, 0 replies; 35+ messages in thread From: Thomas Huth @ 2018-10-25 20:27 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit On 2018-10-25 09:52, Gerd Hoffmann wrote: > We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > > Reproducer: > outw(0xff60, 0x220); > outw(0x1020, 0x220); > outw(0xffb0, 0x220); > Result: > Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) > > The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf) > are rather sparse, possibly incomplete (looks like scanned fax with a > scrambled page at the end) and not really helpful in identifying which > of the register writes sets some illegal value. > > So, go tag the device as deprecated with a warning messge, to notify > users and schedule it for removal according to our deprecation policy. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/audio/adlib.c | 1 + > qemu-deprecated.texi | 4 ++++ > 2 files changed, 5 insertions(+) > > diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c > index 97b876c..fb4a29c 100644 > --- a/hw/audio/adlib.c > +++ b/hw/audio/adlib.c > @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) > set_bit(DEVICE_CATEGORY_SOUND, dc->categories); > dc->desc = ADLIB_DESC; > dc->props = adlib_properties; > + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; > } > > static const TypeInfo adlib_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 11b870c..7951a4f 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and > The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' > or ``ivshmem-doorbell`` device types. > > +@subsection adlib (since 3.1) > + > +Has known buffer overflow. > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > Any chance you could maybe at least add an assert() to the affected code so that it crashes instead of silently overflowing the buffer? Anyway, with the "messge" typo fixed: Reviewed-by: Thomas Huth <thuth@redhat.com> ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann ` (2 preceding siblings ...) 2018-10-25 20:27 ` Thomas Huth @ 2018-10-26 8:48 ` Paolo Bonzini 2018-10-26 9:34 ` P J P 3 siblings, 1 reply; 35+ messages in thread From: Paolo Bonzini @ 2018-10-26 8:48 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit On 25/10/2018 10:52, Gerd Hoffmann wrote: > We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > > Reproducer: > outw(0xff60, 0x220); > outw(0x1020, 0x220); > outw(0xffb0, 0x220); > Result: > Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) I am dumb and I don't understand. In set_ar_dr you get v = 0xff ar = 15 dr = 15 and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60] is accessed. The next accesses use SLOT->ksr which is 0 so it's fine too. Paolo ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 8:48 ` Paolo Bonzini @ 2018-10-26 9:34 ` P J P 2018-10-26 10:01 ` Paolo Bonzini 0 siblings, 1 reply; 35+ messages in thread From: P J P @ 2018-10-26 9:34 UTC (permalink / raw) To: Paolo Bonzini; +Cc: Gerd Hoffmann, qemu-devel, libvir-list +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | I am dumb and I don't understand. In set_ar_dr you get | | v = 0xff | ar = 15 | dr = 15 | | and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which | seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60] | is accessed. | | The next accesses use SLOT->ksr which is 0 so it's fine too. In set_ar_dr SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0; SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to 15, in CALC_FCSLOT() SLOT->evsa = SLOT->AR[ksr]; <= accesses OPL->AR_TABLE[60 + 15]; Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 9:34 ` P J P @ 2018-10-26 10:01 ` Paolo Bonzini 2018-10-26 11:53 ` P J P 0 siblings, 1 reply; 35+ messages in thread From: Paolo Bonzini @ 2018-10-26 10:01 UTC (permalink / raw) To: P J P, Gerd Hoffmann, qemu-devel, libvir-list On 26/10/2018 11:34, P J P wrote: > +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ > | I am dumb and I don't understand. In set_ar_dr you get > | > | v = 0xff > | ar = 15 > | dr = 15 > | > | and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which > | seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60] > | is accessed. > | > | The next accesses use SLOT->ksr which is 0 so it's fine too. > > In set_ar_dr > > SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0; > > SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to > 15, in CALC_FCSLOT() > > SLOT->evsa = SLOT->AR[ksr]; <= accesses OPL->AR_TABLE[60 + 15]; Oh, thanks! I said I was dumb. :) So the fix is just this: diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h index e7e578a48e..7199afaa3c 100644 --- a/hw/audio/fmopl.h +++ b/hw/audio/fmopl.h @@ -72,8 +72,8 @@ typedef struct fm_opl_f { /* Rhythm sention */ uint8_t rhythm; /* Rhythm mode , key flag */ /* time tables */ - int32_t AR_TABLE[75]; /* atttack rate tables */ - int32_t DR_TABLE[75]; /* decay rate tables */ + int32_t AR_TABLE[76]; /* atttack rate tables */ + int32_t DR_TABLE[76]; /* decay rate tables */ uint32_t FN_TABLE[1024]; /* fnumber -> increment counter */ /* LFO */ int32_t *ams_table; and init_timetables will just fill it with the right value? (I checked against another implementation at http://opl3.cozendey.com/). Thanks, Paolo ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 10:01 ` Paolo Bonzini @ 2018-10-26 11:53 ` P J P 2018-10-29 9:05 ` Gerd Hoffmann 0 siblings, 1 reply; 35+ messages in thread From: P J P @ 2018-10-26 11:53 UTC (permalink / raw) To: Paolo Bonzini; +Cc: Gerd Hoffmann, qemu-devel, libvir-list +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ | Oh, thanks! I said I was dumb. :) So the fix is just this: | | diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h | index e7e578a48e..7199afaa3c 100644 | --- a/hw/audio/fmopl.h | +++ b/hw/audio/fmopl.h | @@ -72,8 +72,8 @@ typedef struct fm_opl_f { | /* Rhythm sention */ | uint8_t rhythm; /* Rhythm mode , key flag */ | /* time tables */ | - int32_t AR_TABLE[75]; /* atttack rate tables */ | - int32_t DR_TABLE[75]; /* decay rate tables */ | + int32_t AR_TABLE[76]; /* atttack rate tables */ | + int32_t DR_TABLE[76]; /* decay rate tables */ | uint32_t FN_TABLE[1024]; /* fnumber -> increment counter */ | /* LFO */ | int32_t *ams_table; | | and init_timetables will just fill it with the right value? (I checked | against another implementation at http://opl3.cozendey.com/). Gerd has proposed to a patch to deprecate adlib, as it's not used as much. IMO deprecation is better option. But if that is not happening, above seems good. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. 2018-10-26 11:53 ` P J P @ 2018-10-29 9:05 ` Gerd Hoffmann 0 siblings, 0 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-29 9:05 UTC (permalink / raw) To: P J P; +Cc: Paolo Bonzini, qemu-devel, libvir-list On Fri, Oct 26, 2018 at 05:23:37PM +0530, P J P wrote: > +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+ > | Oh, thanks! I said I was dumb. :) So the fix is just this: > | > | diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h > | index e7e578a48e..7199afaa3c 100644 > | --- a/hw/audio/fmopl.h > | +++ b/hw/audio/fmopl.h > | @@ -72,8 +72,8 @@ typedef struct fm_opl_f { > | /* Rhythm sention */ > | uint8_t rhythm; /* Rhythm mode , key flag */ > | /* time tables */ > | - int32_t AR_TABLE[75]; /* atttack rate tables */ > | - int32_t DR_TABLE[75]; /* decay rate tables */ > | + int32_t AR_TABLE[76]; /* atttack rate tables */ > | + int32_t DR_TABLE[76]; /* decay rate tables */ > | uint32_t FN_TABLE[1024]; /* fnumber -> increment counter */ > | /* LFO */ > | int32_t *ams_table; > | > | and init_timetables will just fill it with the right value? (I checked > | against another implementation at http://opl3.cozendey.com/). > > Gerd has proposed to a patch to deprecate adlib, as it's not used as much. IMO > deprecation is better option. But if that is not happening, above seems good. I think we can actually do both. cheers, Gerd ^ permalink raw reply [flat|nested] 35+ messages in thread
* [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 8:52 [Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann @ 2018-10-25 8:52 ` Gerd Hoffmann 2018-10-25 10:59 ` P J P ` (3 more replies) 2 siblings, 4 replies; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-25 8:52 UTC (permalink / raw) To: qemu-devel; +Cc: libvir-list, Gerd Hoffmann, Prasad J Pandit While being at it deprecate cirrus too. Reason (short version): use stdvga instead. Verbose version: https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/display/cirrus_vga.c | 2 ++ hw/display/cirrus_vga_isa.c | 2 ++ qemu-deprecated.texi | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index d9b854d..2f16ba9 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data) dc->vmsd = &vmstate_pci_cirrus_vga; dc->props = pci_vga_cirrus_properties; dc->hotpluggable = false; + dc->deprecation_reason = + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; } static const TypeInfo cirrus_vga_info = { diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c index fa10b74..c2d853c 100644 --- a/hw/display/cirrus_vga_isa.c +++ b/hw/display/cirrus_vga_isa.c @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data) dc->realize = isa_cirrus_vga_realizefn; dc->props = isa_cirrus_vga_properties; set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); + dc->deprecation_reason = + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; } static const TypeInfo isa_cirrus_vga_info = { diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi index 7951a4f..1b1d434 100644 --- a/qemu-deprecated.texi +++ b/qemu-deprecated.texi @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types. Has known buffer overflow. +@subsection cirrus (since 3.1) + +Use stdvga instead (-vga std or -device VGA). + @section System emulator machines @subsection pc-0.10 and pc-0.11 (since 3.0) -- 2.9.3 ^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann @ 2018-10-25 10:59 ` P J P 2018-10-25 11:17 ` Philippe Mathieu-Daudé ` (2 subsequent siblings) 3 siblings, 0 replies; 35+ messages in thread From: P J P @ 2018-10-25 10:59 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: qemu-devel, libvir-list +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | While being at it deprecate cirrus too. | | Reason (short version): use stdvga instead. | Verbose version: | https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | --- | hw/display/cirrus_vga.c | 2 ++ | hw/display/cirrus_vga_isa.c | 2 ++ | qemu-deprecated.texi | 4 ++++ | 3 files changed, 8 insertions(+) | | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | index d9b854d..2f16ba9 100644 | --- a/hw/display/cirrus_vga.c | +++ b/hw/display/cirrus_vga.c | @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data) | dc->vmsd = &vmstate_pci_cirrus_vga; | dc->props = pci_vga_cirrus_properties; | dc->hotpluggable = false; | + dc->deprecation_reason = | + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; | } | | static const TypeInfo cirrus_vga_info = { | diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c | index fa10b74..c2d853c 100644 | --- a/hw/display/cirrus_vga_isa.c | +++ b/hw/display/cirrus_vga_isa.c | @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data) | dc->realize = isa_cirrus_vga_realizefn; | dc->props = isa_cirrus_vga_properties; | set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); | + dc->deprecation_reason = | + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; | } | | static const TypeInfo isa_cirrus_vga_info = { | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi | index 7951a4f..1b1d434 100644 | --- a/qemu-deprecated.texi | +++ b/qemu-deprecated.texi | @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types. | | Has known buffer overflow. | | +@subsection cirrus (since 3.1) | + | +Use stdvga instead (-vga std or -device VGA). | + | @section System emulator machines | | @subsection pc-0.10 and pc-0.11 (since 3.0) | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann 2018-10-25 10:59 ` P J P @ 2018-10-25 11:17 ` Philippe Mathieu-Daudé 2018-10-25 20:28 ` Thomas Huth 2018-10-25 20:37 ` Daniel P. Berrangé 3 siblings, 0 replies; 35+ messages in thread From: Philippe Mathieu-Daudé @ 2018-10-25 11:17 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit On 25/10/18 10:52, Gerd Hoffmann wrote: > While being at it deprecate cirrus too. > > Reason (short version): use stdvga instead. > Verbose version: > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/display/cirrus_vga.c | 2 ++ > hw/display/cirrus_vga_isa.c | 2 ++ > qemu-deprecated.texi | 4 ++++ > 3 files changed, 8 insertions(+) > > diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c > index d9b854d..2f16ba9 100644 > --- a/hw/display/cirrus_vga.c > +++ b/hw/display/cirrus_vga.c > @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->vmsd = &vmstate_pci_cirrus_vga; > dc->props = pci_vga_cirrus_properties; > dc->hotpluggable = false; > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; We should propably add an archived copy of this post to www.qemu.org. Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > } > > static const TypeInfo cirrus_vga_info = { > diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c > index fa10b74..c2d853c 100644 > --- a/hw/display/cirrus_vga_isa.c > +++ b/hw/display/cirrus_vga_isa.c > @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->realize = isa_cirrus_vga_realizefn; > dc->props = isa_cirrus_vga_properties; > set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; > } > > static const TypeInfo isa_cirrus_vga_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 7951a4f..1b1d434 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types. > > Has known buffer overflow. > > +@subsection cirrus (since 3.1) > + > +Use stdvga instead (-vga std or -device VGA). > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann 2018-10-25 10:59 ` P J P 2018-10-25 11:17 ` Philippe Mathieu-Daudé @ 2018-10-25 20:28 ` Thomas Huth 2018-10-25 20:37 ` Daniel P. Berrangé 3 siblings, 0 replies; 35+ messages in thread From: Thomas Huth @ 2018-10-25 20:28 UTC (permalink / raw) To: Gerd Hoffmann, qemu-devel; +Cc: libvir-list, Prasad J Pandit On 2018-10-25 09:52, Gerd Hoffmann wrote: > While being at it deprecate cirrus too. > > Reason (short version): use stdvga instead. > Verbose version: > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/display/cirrus_vga.c | 2 ++ > hw/display/cirrus_vga_isa.c | 2 ++ > qemu-deprecated.texi | 4 ++++ > 3 files changed, 8 insertions(+) > > diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c > index d9b854d..2f16ba9 100644 > --- a/hw/display/cirrus_vga.c > +++ b/hw/display/cirrus_vga.c > @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->vmsd = &vmstate_pci_cirrus_vga; > dc->props = pci_vga_cirrus_properties; > dc->hotpluggable = false; > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; > } > > static const TypeInfo cirrus_vga_info = { > diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c > index fa10b74..c2d853c 100644 > --- a/hw/display/cirrus_vga_isa.c > +++ b/hw/display/cirrus_vga_isa.c > @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->realize = isa_cirrus_vga_realizefn; > dc->props = isa_cirrus_vga_properties; > set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; > } > > static const TypeInfo isa_cirrus_vga_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 7951a4f..1b1d434 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types. > > Has known buffer overflow. > > +@subsection cirrus (since 3.1) > + > +Use stdvga instead (-vga std or -device VGA). > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > Reviewed-by: Thomas Huth <thuth@redhat.com> ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann ` (2 preceding siblings ...) 2018-10-25 20:28 ` Thomas Huth @ 2018-10-25 20:37 ` Daniel P. Berrangé 2018-10-26 7:03 ` P J P ` (2 more replies) 3 siblings, 3 replies; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-25 20:37 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: qemu-devel, libvir-list, Prasad J Pandit On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > While being at it deprecate cirrus too. > > Reason (short version): use stdvga instead. > Verbose version: > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful Every single one of my guests is using cirrus. This wasn't an explicit choice on my part, so I believe it is being used as the default in virt-install. I don't debate the points in the blog post above that stdvga is a better choice, but I don't think that's enough to justify deprecating cirrus at this point in time, because when it then gets deleted it will break way too many existing deployments. We need to socialize info in that blog post above more widely and especially ensure that apps are not using that by default. I don't see it being viable to formally deprecate it in QEMU any time soon though given existing usage. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/display/cirrus_vga.c | 2 ++ > hw/display/cirrus_vga_isa.c | 2 ++ > qemu-deprecated.texi | 4 ++++ > 3 files changed, 8 insertions(+) > > diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c > index d9b854d..2f16ba9 100644 > --- a/hw/display/cirrus_vga.c > +++ b/hw/display/cirrus_vga.c > @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->vmsd = &vmstate_pci_cirrus_vga; > dc->props = pci_vga_cirrus_properties; > dc->hotpluggable = false; > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; > } > > static const TypeInfo cirrus_vga_info = { > diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c > index fa10b74..c2d853c 100644 > --- a/hw/display/cirrus_vga_isa.c > +++ b/hw/display/cirrus_vga_isa.c > @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data) > dc->realize = isa_cirrus_vga_realizefn; > dc->props = isa_cirrus_vga_properties; > set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); > + dc->deprecation_reason = > + "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful"; > } > > static const TypeInfo isa_cirrus_vga_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 7951a4f..1b1d434 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types. > > Has known buffer overflow. > > +@subsection cirrus (since 3.1) > + > +Use stdvga instead (-vga std or -device VGA). > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > -- > 2.9.3 > > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 20:37 ` Daniel P. Berrangé @ 2018-10-26 7:03 ` P J P 2018-10-26 9:42 ` Daniel P. Berrangé 2018-10-26 8:48 ` Cole Robinson 2018-10-29 9:12 ` [Qemu-devel] " Gerd Hoffmann 2 siblings, 1 reply; 35+ messages in thread From: P J P @ 2018-10-26 7:03 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: Gerd Hoffmann, qemu-devel, libvir-list Hello Dan, all +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: | > While being at it deprecate cirrus too. | > | > Reason (short version): use stdvga instead. | > Verbose version: | > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful | | | I don't debate the points in the blog post above that stdvga is a | better choice, but I don't think that's enough to justify deprecating | cirrus at this point in time, because when it then gets deleted it | will break way too many existing deployments. | | We need to socialize info in that blog post above more widely and | especially ensure that apps are not using that by default. I don't | see it being viable to formally deprecate it in QEMU any time soon | though given existing usage. To note, IMO there are other devices/sources in QEMU which are potential candidates for deprecation, similar to adlib etc. It'll help if we could device a process to deprecate/remove such code base. Other than maintenance it invariably also becomes source of security issues. Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and after review over a period of say a month, candidate will be deprecated/expunged. (thinking aloud) Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 7:03 ` P J P @ 2018-10-26 9:42 ` Daniel P. Berrangé 2018-10-26 9:59 ` Daniel P. Berrangé ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-26 9:42 UTC (permalink / raw) To: P J P; +Cc: Gerd Hoffmann, qemu-devel, libvir-list On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote: > Hello Dan, all > > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ > | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > | > While being at it deprecate cirrus too. > | > > | > Reason (short version): use stdvga instead. > | > Verbose version: > | > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > | > | > | I don't debate the points in the blog post above that stdvga is a > | better choice, but I don't think that's enough to justify deprecating > | cirrus at this point in time, because when it then gets deleted it > | will break way too many existing deployments. > | > | We need to socialize info in that blog post above more widely and > | especially ensure that apps are not using that by default. I don't > | see it being viable to formally deprecate it in QEMU any time soon > | though given existing usage. > > To note, IMO there are other devices/sources in QEMU which are potential > candidates for deprecation, similar to adlib etc. It'll help if we could > device a process to deprecate/remove such code base. Other than maintenance it > invariably also becomes source of security issues. > > Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and > after review over a period of say a month, candidate will be > deprecated/expunged. (thinking aloud) QEMU has a deprecation process: https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features Most of the stuff deprecated is CLI args / monitor commands, etc where mgmt apps just adjust the way they are calling QEMU, so end user's VMs are largely not impacted. Deprecating a device type that is widely used is not desirable because that will cause breakage of existing guests. Distros are free to disable devices in their builds if they want to reduce the scope for CVEs in packages they maintain, but again they should think carefully about how many users they are going to break by doing so. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 9:42 ` Daniel P. Berrangé @ 2018-10-26 9:59 ` Daniel P. Berrangé 2018-10-26 10:03 ` Paolo Bonzini 2018-10-26 10:40 ` Dr. David Alan Gilbert 2018-10-26 13:25 ` [Qemu-devel] [libvirt] " Christian Borntraeger 2 siblings, 1 reply; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-26 9:59 UTC (permalink / raw) To: P J P; +Cc: libvir-list, Gerd Hoffmann, qemu-devel On Fri, Oct 26, 2018 at 10:42:08AM +0100, Daniel P. Berrangé wrote: > On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote: > > Hello Dan, all > > > > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ > > | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > > | > While being at it deprecate cirrus too. > > | > > > | > Reason (short version): use stdvga instead. > > | > Verbose version: > > | > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > | > > | > > | I don't debate the points in the blog post above that stdvga is a > > | better choice, but I don't think that's enough to justify deprecating > > | cirrus at this point in time, because when it then gets deleted it > > | will break way too many existing deployments. > > | > > | We need to socialize info in that blog post above more widely and > > | especially ensure that apps are not using that by default. I don't > > | see it being viable to formally deprecate it in QEMU any time soon > > | though given existing usage. > > > > To note, IMO there are other devices/sources in QEMU which are potential > > candidates for deprecation, similar to adlib etc. It'll help if we could > > device a process to deprecate/remove such code base. Other than maintenance it > > invariably also becomes source of security issues. > > > > Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and > > after review over a period of say a month, candidate will be > > deprecated/expunged. (thinking aloud) > > QEMU has a deprecation process: > > https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features > > Most of the stuff deprecated is CLI args / monitor commands, etc where > mgmt apps just adjust the way they are calling QEMU, so end user's VMs > are largely not impacted. > > Deprecating a device type that is widely used is not desirable because > that will cause breakage of existing guests. Distros are free to disable > devices in their builds if they want to reduce the scope for CVEs in > packages they maintain, but again they should think carefully about how > many users they are going to break by doing so. I should also say that QEMU as an upstream project has multiple goals. Running KVM guests with modern PV hardware is only one of them, albeit a widely used one. Being able to run old legacy OS with old hardware, and running arbitrary embedded boards/devices with emulation are both use cases that QEMU project aims to address. To eliminate all the old "crufty" device emulation in name of improving security for KVM, would be to eliminate core use cases of the project. THis is why we're trying to persue the direction of making it easier for vendors to disable features and devices they don't wish to support & thus limit their downstream CVE exposure. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 9:59 ` Daniel P. Berrangé @ 2018-10-26 10:03 ` Paolo Bonzini 2018-10-26 14:14 ` Daniel P. Berrangé 0 siblings, 1 reply; 35+ messages in thread From: Paolo Bonzini @ 2018-10-26 10:03 UTC (permalink / raw) To: Daniel P. Berrangé, P J P; +Cc: libvir-list, Gerd Hoffmann, qemu-devel On 26/10/2018 11:59, Daniel P. Berrangé wrote: > I should also say that QEMU as an upstream project has multiple goals. > Running KVM guests with modern PV hardware is only one of them, albeit > a widely used one. Being able to run old legacy OS with old hardware, > and running arbitrary embedded boards/devices with emulation are both > use cases that QEMU project aims to address. To eliminate all the old > "crufty" device emulation in name of improving security for KVM, would > be to eliminate core use cases of the project. THis is why we're trying > to persue the direction of making it easier for vendors to disable > features and devices they don't wish to support & thus limit their > downstream CVE exposure. Indeed. If we had to deprecate a feature just because it had an off-by-one bug, no C program would grow beyond 1000 lines of code... Paolo ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 10:03 ` Paolo Bonzini @ 2018-10-26 14:14 ` Daniel P. Berrangé 2018-10-26 18:56 ` P J P 0 siblings, 1 reply; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-26 14:14 UTC (permalink / raw) To: Paolo Bonzini; +Cc: P J P, libvir-list, Gerd Hoffmann, qemu-devel On Fri, Oct 26, 2018 at 12:03:35PM +0200, Paolo Bonzini wrote: > On 26/10/2018 11:59, Daniel P. Berrangé wrote: > > I should also say that QEMU as an upstream project has multiple goals. > > Running KVM guests with modern PV hardware is only one of them, albeit > > a widely used one. Being able to run old legacy OS with old hardware, > > and running arbitrary embedded boards/devices with emulation are both > > use cases that QEMU project aims to address. To eliminate all the old > > "crufty" device emulation in name of improving security for KVM, would > > be to eliminate core use cases of the project. THis is why we're trying > > to persue the direction of making it easier for vendors to disable > > features and devices they don't wish to support & thus limit their > > downstream CVE exposure. > > Indeed. If we had to deprecate a feature just because it had an > off-by-one bug, no C program would grow beyond 1000 lines of code... One thing we should do, however, is to make it clear which of the device models we consider secure, and which we consider only usable in a friendly guest environment, as we have very different code maintainership & quality standards for different parts of QEMU. Essentially virtio devices, and then only a handful of the emulated devices are things we consider suitable for usage in secure envs. Likewise for machine types probably. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 14:14 ` Daniel P. Berrangé @ 2018-10-26 18:56 ` P J P 0 siblings, 0 replies; 35+ messages in thread From: P J P @ 2018-10-26 18:56 UTC (permalink / raw) To: Daniel P. Berrangé Cc: Paolo Bonzini, libvir-list, Gerd Hoffmann, qemu-devel +-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+ | ... | One thing we should do, however, is to make it clear which of the | device models we consider secure, and which we consider only usable | in a friendly guest environment, as we have very different code | maintainership & quality standards for different parts of QEMU. | | Essentially virtio devices, and then only a handful of the emulated | devices are things we consider suitable for usage in secure envs. | Likewise for machine types probably. True, +1. It did come up in another thread. It'll surely be helpful to list these professional and friendly components. 'Professional' being production ready and thus security relevant. And 'Friendly' being experimental or not suitable for production usage. Maybe like staging drivers in the kernel tree. They are available for use but not considered production ready and thus are not security relevant. To be clear, irrespective of professional or friendly, we strive to fix every single issue that is found and/or reported. Only difference is, professional ones are tracked by a CVE ID and friendly ones are fixed as bug fixes, not tracked by CVE ID. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 9:42 ` Daniel P. Berrangé 2018-10-26 9:59 ` Daniel P. Berrangé @ 2018-10-26 10:40 ` Dr. David Alan Gilbert 2018-10-26 13:25 ` [Qemu-devel] [libvirt] " Christian Borntraeger 2 siblings, 0 replies; 35+ messages in thread From: Dr. David Alan Gilbert @ 2018-10-26 10:40 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: P J P, libvir-list, Gerd Hoffmann, qemu-devel * Daniel P. Berrangé (berrange@redhat.com) wrote: > On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote: > > Hello Dan, all > > > > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ > > | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > > | > While being at it deprecate cirrus too. > > | > > > | > Reason (short version): use stdvga instead. > > | > Verbose version: > > | > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > | > > | > > | I don't debate the points in the blog post above that stdvga is a > > | better choice, but I don't think that's enough to justify deprecating > > | cirrus at this point in time, because when it then gets deleted it > > | will break way too many existing deployments. > > | > > | We need to socialize info in that blog post above more widely and > > | especially ensure that apps are not using that by default. I don't > > | see it being viable to formally deprecate it in QEMU any time soon > > | though given existing usage. > > > > To note, IMO there are other devices/sources in QEMU which are potential > > candidates for deprecation, similar to adlib etc. It'll help if we could > > device a process to deprecate/remove such code base. Other than maintenance it > > invariably also becomes source of security issues. > > > > Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and > > after review over a period of say a month, candidate will be > > deprecated/expunged. (thinking aloud) > > QEMU has a deprecation process: > > https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features > > Most of the stuff deprecated is CLI args / monitor commands, etc where > mgmt apps just adjust the way they are calling QEMU, so end user's VMs > are largely not impacted. > > Deprecating a device type that is widely used is not desirable because > that will cause breakage of existing guests. Distros are free to disable > devices in their builds if they want to reduce the scope for CVEs in > packages they maintain, but again they should think carefully about how > many users they are going to break by doing so. I'm a bit mixed here; until recent guest kernels I've always treated Cirrus as the 'safe' one that's likely to work on anything - so losing it worries me. Having said that, I understand why we want to deprecate it; but we should give a much longer deprecation warning - a few years? I don't see any harm warning that it's deprecated and you really should try not to use it. Dave > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 9:42 ` Daniel P. Berrangé 2018-10-26 9:59 ` Daniel P. Berrangé 2018-10-26 10:40 ` Dr. David Alan Gilbert @ 2018-10-26 13:25 ` Christian Borntraeger 2 siblings, 0 replies; 35+ messages in thread From: Christian Borntraeger @ 2018-10-26 13:25 UTC (permalink / raw) To: Daniel P. Berrangé, P J P; +Cc: libvir-list, Gerd Hoffmann, qemu-devel On 10/26/2018 11:42 AM, Daniel P. Berrangé wrote: > On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote: >> Hello Dan, all >> >> +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+ >> | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: >> | > While being at it deprecate cirrus too. >> | > >> | > Reason (short version): use stdvga instead. >> | > Verbose version: >> | > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful >> | >> | >> | I don't debate the points in the blog post above that stdvga is a >> | better choice, but I don't think that's enough to justify deprecating >> | cirrus at this point in time, because when it then gets deleted it >> | will break way too many existing deployments. >> | >> | We need to socialize info in that blog post above more widely and >> | especially ensure that apps are not using that by default. I don't >> | see it being viable to formally deprecate it in QEMU any time soon >> | though given existing usage. >> >> To note, IMO there are other devices/sources in QEMU which are potential >> candidates for deprecation, similar to adlib etc. It'll help if we could >> device a process to deprecate/remove such code base. Other than maintenance it >> invariably also becomes source of security issues. >> >> Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and >> after review over a period of say a month, candidate will be >> deprecated/expunged. (thinking aloud) > > QEMU has a deprecation process: > > https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features > > Most of the stuff deprecated is CLI args / monitor commands, etc where > mgmt apps just adjust the way they are calling QEMU, so end user's VMs > are largely not impacted. > > Deprecating a device type that is widely used is not desirable because > that will cause breakage of existing guests. Distros are free to disable > devices in their builds if they want to reduce the scope for CVEs in > packages they maintain, but again they should think carefully about how > many users they are going to break by doing so. I agree with what Daniel said. Deprecating something that is in heavy use by users just because we have trouble maintaining it not going to help the QEMU project - quite the opposite. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 20:37 ` Daniel P. Berrangé 2018-10-26 7:03 ` P J P @ 2018-10-26 8:48 ` Cole Robinson 2018-10-26 9:43 ` Daniel P. Berrangé 2018-10-29 9:12 ` [Qemu-devel] " Gerd Hoffmann 2 siblings, 1 reply; 35+ messages in thread From: Cole Robinson @ 2018-10-26 8:48 UTC (permalink / raw) To: Daniel P. Berrangé, Gerd Hoffmann Cc: libvir-list, qemu-devel, Prasad J Pandit On 10/25/2018 09:37 PM, Daniel P. Berrangé wrote: > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: >> While being at it deprecate cirrus too. >> >> Reason (short version): use stdvga instead. >> Verbose version: >> https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > Every single one of my guests is using cirrus. This wasn't an explicit > choice on my part, so I believe it is being used as the default in > virt-install. > virt-manager/virt-install 2.0.0 will never explicitly set cirrus, but that release is quite new. The previous release's default for x86 was roughly: if using spice graphics: use qxl elif guest os is windows: use vga else: use cirrus It was definitely sub optimal. Maybe your virt-install commands were explicitly setting --graphics vnc which would trigger cirrus in that case. > I don't debate the points in the blog post above that stdvga is a > better choice, but I don't think that's enough to justify deprecating > cirrus at this point in time, because when it then gets deleted it > will break way too many existing deployments. > > We need to socialize info in that blog post above more widely and > especially ensure that apps are not using that by default. I don't > see it being viable to formally deprecate it in QEMU any time soon > though given existing usage. ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated 2018-10-26 8:48 ` Cole Robinson @ 2018-10-26 9:43 ` Daniel P. Berrangé 0 siblings, 0 replies; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-26 9:43 UTC (permalink / raw) To: Cole Robinson; +Cc: Gerd Hoffmann, libvir-list, qemu-devel, Prasad J Pandit On Fri, Oct 26, 2018 at 09:48:35AM +0100, Cole Robinson wrote: > On 10/25/2018 09:37 PM, Daniel P. Berrangé wrote: > > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > > > While being at it deprecate cirrus too. > > > > > > Reason (short version): use stdvga instead. > > > Verbose version: > > > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > > > Every single one of my guests is using cirrus. This wasn't an explicit > > choice on my part, so I believe it is being used as the default in > > virt-install. > > > > virt-manager/virt-install 2.0.0 will never explicitly set cirrus, but that > release is quite new. The previous release's default for x86 was roughly: > > if using spice graphics: > use qxl > elif guest os is windows: > use vga > else: > use cirrus > > It was definitely sub optimal. Maybe your virt-install commands were > explicitly setting --graphics vnc which would trigger cirrus in that case. Yep, I've always tended to use vnc, since QXL has historically been a pretty buggy & unreliable device model with guests often breaking. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-25 20:37 ` Daniel P. Berrangé 2018-10-26 7:03 ` P J P 2018-10-26 8:48 ` Cole Robinson @ 2018-10-29 9:12 ` Gerd Hoffmann 2018-10-30 18:00 ` Daniel P. Berrangé 2 siblings, 1 reply; 35+ messages in thread From: Gerd Hoffmann @ 2018-10-29 9:12 UTC (permalink / raw) To: Daniel P. Berrangé; +Cc: qemu-devel, libvir-list, Prasad J Pandit On Thu, Oct 25, 2018 at 09:37:58PM +0100, Daniel P. Berrangé wrote: > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > > While being at it deprecate cirrus too. > > > > Reason (short version): use stdvga instead. > > Verbose version: > > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > Every single one of my guests is using cirrus. This wasn't an explicit > choice on my part, so I believe it is being used as the default in > virt-install. > > I don't debate the points in the blog post above that stdvga is a > better choice, but I don't think that's enough to justify deprecating > cirrus at this point in time, because when it then gets deleted it > will break way too many existing deployments. > > We need to socialize info in that blog post above more widely and > especially ensure that apps are not using that by default. I don't > see it being viable to formally deprecate it in QEMU any time soon > though given existing usage. Well, getting that message to the users is the point of deprecating it. I think in this specific case we'll need a longer (maybe much longer) deprecation period than only two releases. But I think it still makes sense to deprecate it now. In qemu it isn't the default any more since release 2.2. libvirt switched the default not too long after that. Not fully sure how things look like higher up the stack. cheers, Gerd ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated 2018-10-29 9:12 ` [Qemu-devel] " Gerd Hoffmann @ 2018-10-30 18:00 ` Daniel P. Berrangé 0 siblings, 0 replies; 35+ messages in thread From: Daniel P. Berrangé @ 2018-10-30 18:00 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: qemu-devel, libvir-list, Prasad J Pandit On Mon, Oct 29, 2018 at 10:12:44AM +0100, Gerd Hoffmann wrote: > On Thu, Oct 25, 2018 at 09:37:58PM +0100, Daniel P. Berrangé wrote: > > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote: > > > While being at it deprecate cirrus too. > > > > > > Reason (short version): use stdvga instead. > > > Verbose version: > > > https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful > > > > Every single one of my guests is using cirrus. This wasn't an explicit > > choice on my part, so I believe it is being used as the default in > > virt-install. > > > > I don't debate the points in the blog post above that stdvga is a > > better choice, but I don't think that's enough to justify deprecating > > cirrus at this point in time, because when it then gets deleted it > > will break way too many existing deployments. > > > > We need to socialize info in that blog post above more widely and > > especially ensure that apps are not using that by default. I don't > > see it being viable to formally deprecate it in QEMU any time soon > > though given existing usage. > > Well, getting that message to the users is the point of deprecating it. > I think in this specific case we'll need a longer (maybe much longer) > deprecation period than only two releases. But I think it still makes > sense to deprecate it now. As mentioned elsewhere in this thread, I think it is important that QEMU distinction between devices that are best practice / recommended for use with KVM virt, vs devices that exist solely for sake of emulating hardware for use with old platforms. I agree that cirrus doesn't have a place in a KVM guest for future, but I don't thjink that means it should be deprecated & removed from QEMU entirely, as its still relevant from POV of QEMU's goal to emulate old hardware platforms. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| ^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2018-10-30 18:01 UTC | newest] Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-10-25 8:52 [Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass Gerd Hoffmann 2018-10-25 10:50 ` P J P 2018-10-25 11:12 ` Philippe Mathieu-Daudé 2018-10-29 9:19 ` Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated Gerd Hoffmann 2018-10-25 10:56 ` P J P 2018-10-25 20:40 ` [Qemu-devel] [libvirt] " Daniel P. Berrangé 2018-10-26 7:08 ` P J P 2018-10-26 9:54 ` Daniel P. Berrangé 2018-10-26 12:35 ` P J P 2018-10-25 11:15 ` [Qemu-devel] " Philippe Mathieu-Daudé 2018-10-25 20:27 ` Thomas Huth 2018-10-26 8:48 ` Paolo Bonzini 2018-10-26 9:34 ` P J P 2018-10-26 10:01 ` Paolo Bonzini 2018-10-26 11:53 ` P J P 2018-10-29 9:05 ` Gerd Hoffmann 2018-10-25 8:52 ` [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated Gerd Hoffmann 2018-10-25 10:59 ` P J P 2018-10-25 11:17 ` Philippe Mathieu-Daudé 2018-10-25 20:28 ` Thomas Huth 2018-10-25 20:37 ` Daniel P. Berrangé 2018-10-26 7:03 ` P J P 2018-10-26 9:42 ` Daniel P. Berrangé 2018-10-26 9:59 ` Daniel P. Berrangé 2018-10-26 10:03 ` Paolo Bonzini 2018-10-26 14:14 ` Daniel P. Berrangé 2018-10-26 18:56 ` P J P 2018-10-26 10:40 ` Dr. David Alan Gilbert 2018-10-26 13:25 ` [Qemu-devel] [libvirt] " Christian Borntraeger 2018-10-26 8:48 ` Cole Robinson 2018-10-26 9:43 ` Daniel P. Berrangé 2018-10-29 9:12 ` [Qemu-devel] " Gerd Hoffmann 2018-10-30 18:00 ` Daniel P. Berrangé
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.