Message ID | 20190703135411.28436-1-berrange@redhat.com |
---|---|
State | New |
Headers | show |
Series | doc: document that the monitor console is a privileged control interface | expand |
On 7/3/19 3:54 PM, Daniel P. Berrangé wrote: > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > claiming that the monitor console was insecure because the "migrate" > comand enabled arbitrary command execution for a remote attacker. > > For this to be a flaw the user launching QEMU must have configured > the monitor in a way that allows for other userrs to access it. The > exploit report quoted use of the "tcp" character device backend for > QMP. > > This would indeed allow any network user to connect to QEMU and > execute arbitrary comamnds, however, this is not a flaw in QEMU. comamnds -> commands > It is the normal expected behaviour of the monitor console and the > commands it supports. Given a monitor connection, there are many > ways to access host filesystem content besides the migrate command. > > The reality is that the monitor console (whether QMP or HMP) is > considered a privileged interface to QEMU and as such must only > be made available to trusted users. IOW, making it available with > no authentication over TCP is simply a, very serious, user > configuration error not a security flaw in QEMU itself. > > The one thing this bogus security report highlights though is that > we have not clearly documented the security implications around the > use of the monitor. Add a few paragraphs of text to the security > docs explaining why the monitor is a privileged interface and making > a recommendation to only use the UNIX socket character device backend. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/docs/security.texi b/docs/security.texi > index 927764f1e6..5bff01449d 100644 > --- a/docs/security.texi > +++ b/docs/security.texi > @@ -129,3 +129,39 @@ those resources that were granted to it. > system calls that are not needed by QEMU, thereby reducing the host kernel > attack surface. > @end itemize > + > +@section Sensitive configurations > + > +There are aspects of QEMU that can have non-obvious security implications > +which users & management applications must be aware of. > + > +@subsection Monitor console (QMP and HMP) > + > +The monitor console (whether used with QMP or HMP) provides an RPC interface > +to dynamically control many aspects of QEMU's runtime operation. Many of the > +commands exposed will instruct QEMU to access content on the host filesysystem > +and/or trigger spawning of external processes. > + > +For example, the @code{migrate} command allows for the spawning of arbitrary > +processes for the purpose of tunnelling the migration data stream. The > +@code{blockdev-add} command instructs QEMU to open arbitrary files, exposing > +their content to the guest as a virtual disk. > + > +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, > +or Linux namespaces, the monitor console should be considered to have privileges > +equivalent to those of the user account QEMU is running under. > + > +It is further important to consider the security of the character device backend > +over which the monitor console is exposed. It needs to have protection against > +malicious third parties which might try to make unauthorized connections, or > +perform man-in-the-middle attacks. Many of the character device backends do not > +satisfy this requirement and so must not be used for the monitor console. > + > +The general recommendation is that the monitor console should be exposed over > +a UNIX domain socket backend to the local host only. Use of the TCP based > +character device backend is inappropriate unless configured to use both TLS > +encryption and authorization control policy on client connections. > + > +In summary the monitor console is considered a privileged control interface to I'd have written "In summary, " or "In summary: " but I'm not sure this is correct/better ;) > +QEMU and as such should only be made accessible to a trusted management > +application or user. > Thanks for writing this down. Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
On Wed, Jul 03, 2019 at 04:24:26PM +0200, Philippe Mathieu-Daudé wrote: > On 7/3/19 3:54 PM, Daniel P. Berrangé wrote: > > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > > claiming that the monitor console was insecure because the "migrate" > > comand enabled arbitrary command execution for a remote attacker. > > > > For this to be a flaw the user launching QEMU must have configured > > the monitor in a way that allows for other userrs to access it. The > > exploit report quoted use of the "tcp" character device backend for > > QMP. > > > > This would indeed allow any network user to connect to QEMU and > > execute arbitrary comamnds, however, this is not a flaw in QEMU. > > comamnds -> commands > > > It is the normal expected behaviour of the monitor console and the > > commands it supports. Given a monitor connection, there are many > > ways to access host filesystem content besides the migrate command. > > > > The reality is that the monitor console (whether QMP or HMP) is > > considered a privileged interface to QEMU and as such must only > > be made available to trusted users. IOW, making it available with > > no authentication over TCP is simply a, very serious, user > > configuration error not a security flaw in QEMU itself. > > > > The one thing this bogus security report highlights though is that > > we have not clearly documented the security implications around the > > use of the monitor. Add a few paragraphs of text to the security > > docs explaining why the monitor is a privileged interface and making > > a recommendation to only use the UNIX socket character device backend. > > > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > > --- > > docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++ > > 1 file changed, 36 insertions(+) > > > > diff --git a/docs/security.texi b/docs/security.texi > > index 927764f1e6..5bff01449d 100644 > > --- a/docs/security.texi > > +++ b/docs/security.texi > > @@ -129,3 +129,39 @@ those resources that were granted to it. > > system calls that are not needed by QEMU, thereby reducing the host kernel > > attack surface. > > @end itemize > > + > > +@section Sensitive configurations > > + > > +There are aspects of QEMU that can have non-obvious security implications > > +which users & management applications must be aware of. > > + > > +@subsection Monitor console (QMP and HMP) > > + > > +The monitor console (whether used with QMP or HMP) provides an RPC interface > > +to dynamically control many aspects of QEMU's runtime operation. Many of the > > +commands exposed will instruct QEMU to access content on the host filesysystem > > +and/or trigger spawning of external processes. > > + > > +For example, the @code{migrate} command allows for the spawning of arbitrary > > +processes for the purpose of tunnelling the migration data stream. The > > +@code{blockdev-add} command instructs QEMU to open arbitrary files, exposing > > +their content to the guest as a virtual disk. > > + > > +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, > > +or Linux namespaces, the monitor console should be considered to have privileges > > +equivalent to those of the user account QEMU is running under. > > + > > +It is further important to consider the security of the character device backend > > +over which the monitor console is exposed. It needs to have protection against > > +malicious third parties which might try to make unauthorized connections, or > > +perform man-in-the-middle attacks. Many of the character device backends do not > > +satisfy this requirement and so must not be used for the monitor console. > > + > > +The general recommendation is that the monitor console should be exposed over > > +a UNIX domain socket backend to the local host only. Use of the TCP based > > +character device backend is inappropriate unless configured to use both TLS > > +encryption and authorization control policy on client connections. > > + > > +In summary the monitor console is considered a privileged control interface to > > I'd have written "In summary, " or "In summary: " but I'm not sure this > is correct/better ;) Using a comma is a reasonable thing here. > > > +QEMU and as such should only be made accessible to a trusted management > > +application or user. > > > > Thanks for writing this down. > > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Regards, Daniel
On 7/3/19 8:54 AM, Daniel P. Berrangé wrote: > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > claiming that the monitor console was insecure because the "migrate" > comand enabled arbitrary command execution for a remote attacker. command > > For this to be a flaw the user launching QEMU must have configured > the monitor in a way that allows for other userrs to access it. The users > exploit report quoted use of the "tcp" character device backend for > QMP. > -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Patchew URL: https://patchew.org/QEMU/20190703135411.28436-1-berrange@redhat.com/ Hi, This series failed the asan build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash make docker-image-fedora V=1 NETWORK=1 time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1 === TEST SCRIPT END === PASS 10 test-qobject-input-visitor /visitor/input/bool_str_fail PASS 11 test-qobject-input-visitor /visitor/input/number PASS 12 test-qobject-input-visitor /visitor/input/large_number ==7823==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 test-qobject-input-visitor /visitor/input/number_keyval PASS 14 test-qobject-input-visitor /visitor/input/number_str_keyval PASS 15 test-qobject-input-visitor /visitor/input/number_str_fail --- PASS 32 test-opts-visitor /visitor/opts/range/beyond PASS 33 test-opts-visitor /visitor/opts/dict/unvisited MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-coroutine -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-coroutine" ==7867==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==7867==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd08026000; bottom 0x7f0dee0f8000; size: 0x00ef19f2e000 (1026932531200) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-coroutine /basic/no-dangling-access --- PASS 12 test-aio /aio/event/flush PASS 13 test-aio /aio/event/wait/no-flush-cb PASS 11 fdc-test /x86_64/fdc/read_no_dma_18 ==7882==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 test-aio /aio/timer/schedule PASS 15 test-aio /aio/coroutine/queue-chaining PASS 16 test-aio /aio-gsource/flush --- PASS 28 test-aio /aio-gsource/timer/schedule MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-aio-multithread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-aio-multithread" PASS 1 test-aio-multithread /aio/multi/lifecycle ==7888==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-aio-multithread /aio/multi/schedule PASS 12 fdc-test /x86_64/fdc/read_no_dma_19 PASS 13 fdc-test /x86_64/fdc/fuzz-registers PASS 3 test-aio-multithread /aio/multi/mutex/contended MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ide-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ide-test" ==7916==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 ide-test /x86_64/ide/identify ==7922==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 test-aio-multithread /aio/multi/mutex/handoff PASS 2 ide-test /x86_64/ide/flush ==7933==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 test-aio-multithread /aio/multi/mutex/mcs PASS 3 ide-test /x86_64/ide/bmdma/simple_rw ==7944==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 test-aio-multithread /aio/multi/mutex/pthread PASS 4 ide-test /x86_64/ide/bmdma/trim MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-throttle -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-throttle" --- PASS 5 test-throttle /throttle/have_timer PASS 6 test-throttle /throttle/detach_attach PASS 7 test-throttle /throttle/config_functions ==7953==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 test-throttle /throttle/accounting PASS 9 test-throttle /throttle/groups PASS 10 test-throttle /throttle/config/enabled --- PASS 13 test-throttle /throttle/config/ranges PASS 14 test-throttle /throttle/config/max PASS 15 test-throttle /throttle/config/iops_size ==7951==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-thread-pool -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-thread-pool" PASS 5 ide-test /x86_64/ide/bmdma/short_prdt PASS 1 test-thread-pool /thread-pool/submit PASS 2 test-thread-pool /thread-pool/submit-aio ==7963==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-thread-pool /thread-pool/submit-co PASS 4 test-thread-pool /thread-pool/submit-many ==7965==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 ide-test /x86_64/ide/bmdma/one_sector_short_prdt ==8036==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 test-thread-pool /thread-pool/cancel PASS 7 ide-test /x86_64/ide/bmdma/long_prdt ==8042==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8042==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd58f8c000; bottom 0x7f3af5dfe000; size: 0x00c26318e000 (834886230016) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 8 ide-test /x86_64/ide/bmdma/no_busmaster --- PASS 3 test-hbitmap /hbitmap/size/unaligned PASS 4 test-hbitmap /hbitmap/iter/empty PASS 5 test-hbitmap /hbitmap/iter/partial ==8059==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 test-hbitmap /hbitmap/iter/granularity PASS 7 test-hbitmap /hbitmap/iter/iter_and_reset PASS 8 test-hbitmap /hbitmap/get/all --- PASS 14 test-hbitmap /hbitmap/set/twice PASS 15 test-hbitmap /hbitmap/set/overlap PASS 16 test-hbitmap /hbitmap/reset/empty ==8064==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 17 test-hbitmap /hbitmap/reset/general PASS 18 test-hbitmap /hbitmap/reset/all PASS 19 test-hbitmap /hbitmap/truncate/nop --- PASS 29 test-hbitmap /hbitmap/truncate/shrink/large PASS 30 test-hbitmap /hbitmap/meta/zero PASS 11 ide-test /x86_64/ide/flush/retry_pci ==8070==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 ide-test /x86_64/ide/flush/retry_isa ==8076==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 ide-test /x86_64/ide/cdrom/pio ==8082==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 ide-test /x86_64/ide/cdrom/pio_large ==8088==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 31 test-hbitmap /hbitmap/meta/one PASS 32 test-hbitmap /hbitmap/meta/byte PASS 33 test-hbitmap /hbitmap/meta/word --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ahci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ahci-test" PASS 34 test-hbitmap /hbitmap/meta/sector PASS 35 test-hbitmap /hbitmap/serialize/align ==8102==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 ahci-test /x86_64/ahci/sanity ==8108==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 36 test-hbitmap /hbitmap/serialize/basic PASS 37 test-hbitmap /hbitmap/serialize/part PASS 38 test-hbitmap /hbitmap/serialize/zeroes --- PASS 43 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_4 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-drain -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-drain" PASS 2 ahci-test /x86_64/ahci/pci_spec ==8116==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-drain /bdrv-drain/nested PASS 2 test-bdrv-drain /bdrv-drain/multiparent PASS 3 test-bdrv-drain /bdrv-drain/set_aio_context --- PASS 29 test-bdrv-drain /bdrv-drain/blockjob/iothread/drain_subtree PASS 30 test-bdrv-drain /bdrv-drain/blockjob/iothread/error/drain_all PASS 31 test-bdrv-drain /bdrv-drain/blockjob/iothread/error/drain ==8118==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 32 test-bdrv-drain /bdrv-drain/blockjob/iothread/error/drain_subtree PASS 33 test-bdrv-drain /bdrv-drain/deletion/drain PASS 34 test-bdrv-drain /bdrv-drain/detach/drain_all --- PASS 38 test-bdrv-drain /bdrv-drain/detach/driver_cb PASS 39 test-bdrv-drain /bdrv-drain/attach/drain MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-graph-mod -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-graph-mod" ==8162==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-graph-mod /bdrv-graph-mod/update-perm-tree PASS 2 test-bdrv-graph-mod /bdrv-graph-mod/should-update-child PASS 3 ahci-test /x86_64/ahci/pci_enable MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob" ==8168==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob /blockjob/ids PASS 2 test-blockjob /blockjob/cancel/created PASS 3 test-blockjob /blockjob/cancel/running PASS 4 test-blockjob /blockjob/cancel/paused PASS 5 test-blockjob /blockjob/cancel/ready PASS 6 test-blockjob /blockjob/cancel/standby ==8166==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 test-blockjob /blockjob/cancel/pending PASS 8 test-blockjob /blockjob/cancel/concluded MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob-txn -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob-txn" ==8178==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob-txn /single/success PASS 2 test-blockjob-txn /single/failure PASS 3 test-blockjob-txn /single/cancel --- PASS 7 test-blockjob-txn /pair/fail-cancel-race PASS 4 ahci-test /x86_64/ahci/hba_spec MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-backend -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-backend" ==8184==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8182==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-backend /block-backend/drain_aio_error PASS 2 test-block-backend /block-backend/drain_all_aio_error MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-iothread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-iothread" ==8194==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-iothread /sync-op/pread PASS 2 test-block-iothread /sync-op/pwrite PASS 3 test-block-iothread /sync-op/load_vmstate --- PASS 16 test-block-iothread /propagate/mirror PASS 5 ahci-test /x86_64/ahci/hba_enable MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-image-locking -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-image-locking" ==8214==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8216==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-image-locking /image-locking/basic PASS 2 test-image-locking /image-locking/set-perm-abort MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-x86-cpuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid" --- PASS 4 test-xbzrle /xbzrle/encode_decode_1_byte PASS 5 test-xbzrle /xbzrle/encode_decode_overflow PASS 6 ahci-test /x86_64/ahci/identify ==8232==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 test-xbzrle /xbzrle/encode_decode MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-vmstate -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-vmstate" PASS 1 test-vmstate /vmstate/tmp_struct --- PASS 1 test-mul64 /host-utils/mulu64 PASS 2 test-mul64 /host-utils/muls64 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-int128 -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-int128" ==8252==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-int128 /int128/int128_and PASS 2 test-int128 /int128/int128_add PASS 3 test-int128 /int128/int128_sub --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/rcutorture -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="rcutorture" PASS 1 rcutorture /rcu/torture/1reader PASS 8 ahci-test /x86_64/ahci/reset ==8293==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 rcutorture /rcu/torture/10readers ==8293==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd586aa000; bottom 0x7fa2499fe000; size: 0x005b0ecac000 (391090192384) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-list -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-list" PASS 9 ahci-test /x86_64/ahci/io/pio/lba28/simple/zero ==8306==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-rcu-list /rcu/qlist/single-threaded ==8306==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc9cde0000; bottom 0x7fb018bfe000; size: 0x004c841e2000 (328634081280) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 10 ahci-test /x86_64/ahci/io/pio/lba28/simple/low PASS 2 test-rcu-list /rcu/qlist/short-few ==8318==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8318==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd58b20000; bottom 0x7fc860dfe000; size: 0x0034f7d22000 (227496042496) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 11 ahci-test /x86_64/ahci/io/pio/lba28/simple/high PASS 3 test-rcu-list /rcu/qlist/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-simpleq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-simpleq" ==8345==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8345==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd9ac2f000; bottom 0x7f2214bfe000; size: 0x00db86031000 (942846185472) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 12 ahci-test /x86_64/ahci/io/pio/lba28/double/zero PASS 1 test-rcu-simpleq /rcu/qsimpleq/single-threaded ==8358==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8358==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffcf7a6e000; bottom 0x7f5e7e9fe000; size: 0x009e79070000 (680635334656) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 2 test-rcu-simpleq /rcu/qsimpleq/short-few PASS 13 ahci-test /x86_64/ahci/io/pio/lba28/double/low ==8391==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8391==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe62ebf000; bottom 0x7fad9dffe000; size: 0x0050c4ec1000 (346901188608) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 14 ahci-test /x86_64/ahci/io/pio/lba28/double/high PASS 3 test-rcu-simpleq /rcu/qsimpleq/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-tailq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-tailq" ==8397==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8397==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fffa7e2c000; bottom 0x7f2bce1fe000; size: 0x00d3d9c2e000 (909891526656) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-rcu-tailq /rcu/qtailq/single-threaded PASS 15 ahci-test /x86_64/ahci/io/pio/lba28/long/zero ==8416==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-rcu-tailq /rcu/qtailq/short-few ==8416==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe7a17c000; bottom 0x7ff765dfe000; size: 0x00071437e000 (30403977216) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 16 ahci-test /x86_64/ahci/io/pio/lba28/long/low ==8443==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8443==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffeb6f09000; bottom 0x7f836b77c000; size: 0x007b4b78d000 (529547186176) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 3 test-rcu-tailq /rcu/qtailq/long-many --- PASS 8 test-qdist /qdist/binning/shrink MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht" PASS 17 ahci-test /x86_64/ahci/io/pio/lba28/long/high ==8458==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 18 ahci-test /x86_64/ahci/io/pio/lba28/short/zero ==8464==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 19 ahci-test /x86_64/ahci/io/pio/lba28/short/low ==8470==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 20 ahci-test /x86_64/ahci/io/pio/lba28/short/high ==8476==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8476==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffeda91d000; bottom 0x7f57a17fe000; size: 0x00a73911f000 (718217015296) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 21 ahci-test /x86_64/ahci/io/pio/lba48/simple/zero ==8482==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8482==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffdbefac000; bottom 0x7f26d53fe000; size: 0x00d6e9bae000 (923044339712) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 22 ahci-test /x86_64/ahci/io/pio/lba48/simple/low ==8488==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8488==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffcb2e38000; bottom 0x7f46c8ffe000; size: 0x00b5e9e3a000 (781313089536) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 23 ahci-test /x86_64/ahci/io/pio/lba48/simple/high ==8494==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8494==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe69cc5000; bottom 0x7f7de6ffe000; size: 0x008082cc7000 (551950249984) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 24 ahci-test /x86_64/ahci/io/pio/lba48/double/zero ==8500==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8500==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff171a2000; bottom 0x7f24707fe000; size: 0x00daa69a4000 (939097997312) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 25 ahci-test /x86_64/ahci/io/pio/lba48/double/low ==8506==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8506==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd54e65000; bottom 0x7f4f185fe000; size: 0x00ae3c867000 (748339752960) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 26 ahci-test /x86_64/ahci/io/pio/lba48/double/high ==8512==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8512==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe55c04000; bottom 0x7f87651fe000; size: 0x0076f0a06000 (510843183104) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 27 ahci-test /x86_64/ahci/io/pio/lba48/long/zero PASS 1 test-qht /qht/mode/default PASS 2 test-qht /qht/mode/resize MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht-par -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht-par" ==8518==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8518==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff5c00b000; bottom 0x7f1bfabfe000; size: 0x00e36140d000 (976589213696) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 28 ahci-test /x86_64/ahci/io/pio/lba48/long/low PASS 1 test-qht-par /qht/parallel/2threads-0%updates-1s ==8534==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8534==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff91e71000; bottom 0x7fdd3c3fe000; size: 0x002255a73000 (147465908224) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 2 test-qht-par /qht/parallel/2threads-20%updates-1s --- PASS 4 test-bitcnt /bitcnt/ctpop64 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qdev-global-props -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qdev-global-props" PASS 1 test-qdev-global-props /qdev/properties/static/default ==8557==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-qdev-global-props /qdev/properties/static/global PASS 3 test-qdev-global-props /qdev/properties/dynamic/global PASS 4 test-qdev-global-props /qdev/properties/global/subclass --- PASS 3 test-write-threshold /write-threshold/multi-set-get PASS 4 test-write-threshold /write-threshold/not-trigger PASS 5 test-write-threshold /write-threshold/trigger ==8586==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-hash -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-hash" PASS 1 test-crypto-hash /crypto/hash/iov PASS 2 test-crypto-hash /crypto/hash/alloc --- PASS 15 test-crypto-secret /crypto/secret/crypt/missingiv PASS 16 test-crypto-secret /crypto/secret/crypt/badiv MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-tlscredsx509 -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-tlscredsx509" ==8616==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 32 ahci-test /x86_64/ahci/io/pio/lba48/short/high PASS 1 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectserver PASS 2 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectclient PASS 3 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca1 ==8631==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca2 PASS 33 ahci-test /x86_64/ahci/io/dma/lba28/fragmented PASS 5 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca3 PASS 6 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca1 PASS 7 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca2 PASS 8 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca3 ==8637==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver1 PASS 34 ahci-test /x86_64/ahci/io/dma/lba28/retry ==8643==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver2 PASS 11 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver3 PASS 35 ahci-test /x86_64/ahci/io/dma/lba28/simple/zero ==8649==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver4 PASS 13 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver5 PASS 14 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver6 PASS 36 ahci-test /x86_64/ahci/io/dma/lba28/simple/low ==8655==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver7 PASS 16 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver1 PASS 17 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver2 --- PASS 37 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/missingca PASS 38 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/missingserver PASS 39 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/missingclient ==8661==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-tlssession -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-tlssession" PASS 38 ahci-test /x86_64/ahci/io/dma/lba28/double/zero ==8672==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-tlssession /qcrypto/tlssession/psk PASS 39 ahci-test /x86_64/ahci/io/dma/lba28/double/low PASS 2 test-crypto-tlssession /qcrypto/tlssession/basicca PASS 3 test-crypto-tlssession /qcrypto/tlssession/differentca ==8678==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 test-crypto-tlssession /qcrypto/tlssession/altname1 PASS 5 test-crypto-tlssession /qcrypto/tlssession/altname2 PASS 40 ahci-test /x86_64/ahci/io/dma/lba28/double/high ==8684==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 test-crypto-tlssession /qcrypto/tlssession/altname3 PASS 7 test-crypto-tlssession /qcrypto/tlssession/altname4 PASS 41 ahci-test /x86_64/ahci/io/dma/lba28/long/zero PASS 8 test-crypto-tlssession /qcrypto/tlssession/altname5 ==8690==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 test-crypto-tlssession /qcrypto/tlssession/altname6 PASS 42 ahci-test /x86_64/ahci/io/dma/lba28/long/low ==8696==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-crypto-tlssession /qcrypto/tlssession/wildcard1 PASS 43 ahci-test /x86_64/ahci/io/dma/lba28/long/high ==8702==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 test-crypto-tlssession /qcrypto/tlssession/wildcard2 PASS 44 ahci-test /x86_64/ahci/io/dma/lba28/short/zero ==8708==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 test-crypto-tlssession /qcrypto/tlssession/wildcard3 PASS 13 test-crypto-tlssession /qcrypto/tlssession/wildcard4 PASS 14 test-crypto-tlssession /qcrypto/tlssession/wildcard5 PASS 45 ahci-test /x86_64/ahci/io/dma/lba28/short/low PASS 15 test-crypto-tlssession /qcrypto/tlssession/wildcard6 ==8714==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 46 ahci-test /x86_64/ahci/io/dma/lba28/short/high PASS 16 test-crypto-tlssession /qcrypto/tlssession/cachain MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qga -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qga" ==8720==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-qga /qga/sync-delimited PASS 2 test-qga /qga/sync PASS 3 test-qga /qga/ping --- PASS 15 test-qga /qga/invalid-cmd PASS 16 test-qga /qga/invalid-args PASS 17 test-qga /qga/fsfreeze-status ==8732==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 18 test-qga /qga/blacklist PASS 19 test-qga /qga/config PASS 48 ahci-test /x86_64/ahci/io/dma/lba48/simple/low PASS 20 test-qga /qga/guest-exec PASS 21 test-qga /qga/guest-exec-invalid ==8745==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 22 test-qga /qga/guest-get-osinfo PASS 23 test-qga /qga/guest-get-host-name PASS 24 test-qga /qga/guest-get-timezone --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-authz-simple -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-authz-simple" PASS 1 test-authz-simple /authz/simple MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-authz-list -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-authz-list" ==8765==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-authz-list /auth/list/complex PASS 2 test-authz-list /auth/list/add-remove PASS 3 test-authz-list /auth/list/default/deny --- PASS 4 test-io-channel-file /io/channel/pipe/sync PASS 5 test-io-channel-file /io/channel/pipe/async MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-tls -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-tls" ==8849==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-io-channel-tls /qio/channel/tls/basic MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-command -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-command" PASS 1 test-io-channel-command /io/channel/command/fifo/sync --- PASS 3 test-crypto-afsplit /crypto/afsplit/sha256/big PASS 4 test-crypto-afsplit /crypto/afsplit/sha1/1000 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-xts -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-xts" ==8878==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-xts /crypto/xts/t-1-key-32-ptx-32/basic PASS 2 test-crypto-xts /crypto/xts/t-1-key-32-ptx-32/split PASS 3 test-crypto-xts /crypto/xts/t-1-key-32-ptx-32/unaligned --- PASS 1 test-logging /logging/parse_range PASS 2 test-logging /logging/parse_path MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-replication -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-replication" ==8914==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 52 ahci-test /x86_64/ahci/io/dma/lba48/double/high PASS 1 test-replication /replication/primary/read ==8918==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-replication /replication/primary/write PASS 3 test-replication /replication/primary/start PASS 4 test-replication /replication/primary/stop PASS 5 test-replication /replication/primary/do_checkpoint PASS 6 test-replication /replication/primary/get_error_all PASS 53 ahci-test /x86_64/ahci/io/dma/lba48/long/zero ==8924==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 test-replication /replication/secondary/read PASS 54 ahci-test /x86_64/ahci/io/dma/lba48/long/low PASS 8 test-replication /replication/secondary/write ==8930==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 55 ahci-test /x86_64/ahci/io/dma/lba48/long/high ==8936==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8914==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc04b2b000; bottom 0x7f65065fc000; size: 0x0096fe52f000 (648511942656) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 56 ahci-test /x86_64/ahci/io/dma/lba48/short/zero PASS 9 test-replication /replication/secondary/start ==8963==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 57 ahci-test /x86_64/ahci/io/dma/lba48/short/low ==8969==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-replication /replication/secondary/stop PASS 58 ahci-test /x86_64/ahci/io/dma/lba48/short/high ==8975==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 59 ahci-test /x86_64/ahci/io/ncq/simple ==8981==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 test-replication /replication/secondary/do_checkpoint PASS 60 ahci-test /x86_64/ahci/io/ncq/retry ==8987==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 test-replication /replication/secondary/get_error_all PASS 61 ahci-test /x86_64/ahci/flush/simple MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bufferiszero -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bufferiszero" ==8994==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 62 ahci-test /x86_64/ahci/flush/retry ==9003==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9008==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 63 ahci-test /x86_64/ahci/flush/migrate ==9018==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9023==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 64 ahci-test /x86_64/ahci/migrate/sanity ==9032==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9037==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 65 ahci-test /x86_64/ahci/migrate/dma/simple ==9046==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9051==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 66 ahci-test /x86_64/ahci/migrate/dma/halted ==9060==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9065==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 67 ahci-test /x86_64/ahci/migrate/ncq/simple ==9074==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9079==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 68 ahci-test /x86_64/ahci/migrate/ncq/halted ==9088==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 69 ahci-test /x86_64/ahci/cdrom/eject ==9093==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 70 ahci-test /x86_64/ahci/cdrom/dma/single ==9099==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 71 ahci-test /x86_64/ahci/cdrom/dma/multi ==9105==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 72 ahci-test /x86_64/ahci/cdrom/pio/single ==9111==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9111==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffdea47f000; bottom 0x7f6c71dfe000; size: 0x009178681000 (624790343680) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 73 ahci-test /x86_64/ahci/cdrom/pio/multi ==9117==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bufferiszero /cutils/bufferiszero MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-uuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-uuid" PASS 74 ahci-test /x86_64/ahci/cdrom/pio/bcl --- PASS 22 test-qgraph /qgraph/test_test_in_path PASS 23 test-qgraph /qgraph/test_double_edge PASS 1 hd-geo-test /x86_64/hd-geo/ide/none ==9148==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 hd-geo-test /x86_64/hd-geo/ide/drive/cd_0 ==9154==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/blank ==9160==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/lba ==9166==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/chs ==9172==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 hd-geo-test /x86_64/hd-geo/ide/device/mbr/blank ==9178==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 hd-geo-test /x86_64/hd-geo/ide/device/mbr/lba ==9184==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 hd-geo-test /x86_64/hd-geo/ide/device/mbr/chs ==9190==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 hd-geo-test /x86_64/hd-geo/ide/device/user/chs ==9195==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 hd-geo-test /x86_64/hd-geo/ide/device/user/chst MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-order-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-order-test" PASS 1 boot-order-test /x86_64/boot-order/pc --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9263==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 bios-tables-test /x86_64/acpi/piix4 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9269==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 bios-tables-test /x86_64/acpi/q35 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9275==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 bios-tables-test /x86_64/acpi/piix4/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9281==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 bios-tables-test /x86_64/acpi/piix4/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9287==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 bios-tables-test /x86_64/acpi/piix4/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9294==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 bios-tables-test /x86_64/acpi/piix4/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9300==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 bios-tables-test /x86_64/acpi/piix4/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9306==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 bios-tables-test /x86_64/acpi/piix4/dimmpxm Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9315==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 bios-tables-test /x86_64/acpi/q35/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9321==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 bios-tables-test /x86_64/acpi/q35/mmio64 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9327==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 bios-tables-test /x86_64/acpi/q35/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9333==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 bios-tables-test /x86_64/acpi/q35/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9340==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 bios-tables-test /x86_64/acpi/q35/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9346==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 bios-tables-test /x86_64/acpi/q35/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9352==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 bios-tables-test /x86_64/acpi/q35/dimmpxm MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-serial-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-serial-test" PASS 1 boot-serial-test /x86_64/boot-serial/isapc --- PASS 1 i440fx-test /x86_64/i440fx/defaults PASS 2 i440fx-test /x86_64/i440fx/pam PASS 3 i440fx-test /x86_64/i440fx/firmware/bios ==9436==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 i440fx-test /x86_64/i440fx/firmware/pflash MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/fw_cfg-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="fw_cfg-test" PASS 1 fw_cfg-test /x86_64/fw_cfg/signature --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/drive_del-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="drive_del-test" PASS 1 drive_del-test /x86_64/drive_del/without-dev PASS 2 drive_del-test /x86_64/drive_del/after_failed_device_add ==9524==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 drive_del-test /x86_64/blockdev/drive_del_device_del MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/wdt_ib700-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="wdt_ib700-test" PASS 1 wdt_ib700-test /x86_64/wdt_ib700/pause --- PASS 1 usb-hcd-uhci-test /x86_64/uhci/pci/init PASS 2 usb-hcd-uhci-test /x86_64/uhci/pci/port1 PASS 3 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug ==9719==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug/usb-storage MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/usb-hcd-xhci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="usb-hcd-xhci-test" PASS 1 usb-hcd-xhci-test /x86_64/xhci/pci/init PASS 2 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug ==9728==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-uas PASS 4 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-ccid MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/cpu-plug-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="cpu-plug-test" --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9834==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9840==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid-auto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9846==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 vmgenid-test /x86_64/vmgenid/vmgenid/query-monitor MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/tpm-crb-swtpm-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="tpm-crb-swtpm-test" SKIP 1 tpm-crb-swtpm-test /x86_64/tpm/crb-swtpm/test # SKIP swtpm not in PATH or missing --tpm2 support --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9951==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9956==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 migration-test /x86_64/migration/fd_proto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9964==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9969==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 migration-test /x86_64/migration/postcopy/unix PASS 5 migration-test /x86_64/migration/postcopy/recovery Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9999==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10004==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 migration-test /x86_64/migration/precopy/unix Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10013==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10018==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 migration-test /x86_64/migration/precopy/tcp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10027==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10032==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 migration-test /x86_64/migration/xbzrle/unix MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/test-x86-cpuid-compat -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid-compat" PASS 1 test-x86-cpuid-compat /x86/cpuid/parsing-plus-minus --- PASS 6 numa-test /x86_64/numa/pc/dynamic/cpu MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/qmp-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="qmp-test" PASS 1 qmp-test /x86_64/qmp/protocol ==10361==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 qmp-test /x86_64/qmp/oob PASS 3 qmp-test /x86_64/qmp/preconfig PASS 4 qmp-test /x86_64/qmp/missing-any-arg --- PASS 5 device-introspect-test /x86_64/device/introspect/abstract-interfaces ================================================================= ==10609==ERROR: LeakSanitizer: detected memory leaks Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x560b787e3b6e in calloc (/tmp/qemu-test/build/x86_64-softmmu/qemu-system-x86_64+0x19f9b6e) --- SUMMARY: AddressSanitizer: 64 byte(s) leaked in 2 allocation(s). /tmp/qemu-test/src/tests/libqtest.c:137: kill_qemu() tried to terminate QEMU process but encountered exit status 1 ERROR - too few tests run (expected 6, got 5) make: *** [/tmp/qemu-test/src/tests/Makefile.include:896: check-qtest-x86_64] Error 1 make: *** Waiting for unfinished jobs.... Traceback (most recent call last): The full log is available at http://patchew.org/logs/20190703135411.28436-1-berrange@redhat.com/testing.asan/?type=message. --- Email generated automatically by Patchew [https://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
Daniel P. Berrangé <berrange@redhat.com> writes: > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > claiming that the monitor console was insecure because the "migrate" > comand enabled arbitrary command execution for a remote attacker. > > For this to be a flaw the user launching QEMU must have configured > the monitor in a way that allows for other userrs to access it. The > exploit report quoted use of the "tcp" character device backend for > QMP. > > This would indeed allow any network user to connect to QEMU and > execute arbitrary comamnds, however, this is not a flaw in QEMU. > It is the normal expected behaviour of the monitor console and the > commands it supports. Given a monitor connection, there are many > ways to access host filesystem content besides the migrate command. > > The reality is that the monitor console (whether QMP or HMP) is > considered a privileged interface to QEMU and as such must only > be made available to trusted users. IOW, making it available with > no authentication over TCP is simply a, very serious, user > configuration error not a security flaw in QEMU itself. Is this the sort of thing we should emit warnings for? I guess this is a philosophical question as QEMU tends to err towards being taciturn on the command line unless something is actually wrong (and not just stupid). I wouldn't expect a warning for -serial mon:stdio but maybe a non-localhost tcp chardev for o+rw socket might be worth a mention? Of course this sort of sanitising of the command line options does incur cost and complexity in our option processing. > > The one thing this bogus security report highlights though is that > we have not clearly documented the security implications around the > use of the monitor. Add a few paragraphs of text to the security > docs explaining why the monitor is a privileged interface and making > a recommendation to only use the UNIX socket character device backend. However extra clarity is always welcome, modulo typos and grammar suggestions the others have made: Reviewed-by: Alex Bennée <alex.bennee@linaro.org> > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/docs/security.texi b/docs/security.texi > index 927764f1e6..5bff01449d 100644 > --- a/docs/security.texi > +++ b/docs/security.texi > @@ -129,3 +129,39 @@ those resources that were granted to it. > system calls that are not needed by QEMU, thereby reducing the host kernel > attack surface. > @end itemize > + > +@section Sensitive configurations > + > +There are aspects of QEMU that can have non-obvious security implications > +which users & management applications must be aware of. > + > +@subsection Monitor console (QMP and HMP) > + > +The monitor console (whether used with QMP or HMP) provides an RPC interface > +to dynamically control many aspects of QEMU's runtime operation. Many of the > +commands exposed will instruct QEMU to access content on the host filesysystem > +and/or trigger spawning of external processes. > + > +For example, the @code{migrate} command allows for the spawning of arbitrary > +processes for the purpose of tunnelling the migration data stream. The > +@code{blockdev-add} command instructs QEMU to open arbitrary files, exposing > +their content to the guest as a virtual disk. > + > +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, > +or Linux namespaces, the monitor console should be considered to have privileges > +equivalent to those of the user account QEMU is running under. > + > +It is further important to consider the security of the character device backend > +over which the monitor console is exposed. It needs to have protection against > +malicious third parties which might try to make unauthorized connections, or > +perform man-in-the-middle attacks. Many of the character device backends do not > +satisfy this requirement and so must not be used for the monitor console. > + > +The general recommendation is that the monitor console should be exposed over > +a UNIX domain socket backend to the local host only. Use of the TCP based > +character device backend is inappropriate unless configured to use both TLS > +encryption and authorization control policy on client connections. > + > +In summary the monitor console is considered a privileged control interface to > +QEMU and as such should only be made accessible to a trusted management > +application or user. -- Alex Bennée
Patchew URL: https://patchew.org/QEMU/20190703135411.28436-1-berrange@redhat.com/ Hi, This series failed the asan build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash make docker-image-fedora V=1 NETWORK=1 time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1 === TEST SCRIPT END === PASS 1 fdc-test /x86_64/fdc/cmos PASS 2 fdc-test /x86_64/fdc/no_media_on_start PASS 3 fdc-test /x86_64/fdc/read_without_media ==7869==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 fdc-test /x86_64/fdc/media_change PASS 5 fdc-test /x86_64/fdc/sense_interrupt PASS 6 fdc-test /x86_64/fdc/relative_seek --- PASS 32 test-opts-visitor /visitor/opts/range/beyond PASS 33 test-opts-visitor /visitor/opts/dict/unvisited MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-coroutine -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-coroutine" ==7918==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-coroutine /basic/no-dangling-access PASS 2 test-coroutine /basic/lifecycle PASS 3 test-coroutine /basic/yield ==7918==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd09c35000; bottom 0x7fd3bbcf8000; size: 0x00294df3d000 (177401483264) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 4 test-coroutine /basic/nesting --- PASS 11 test-aio /aio/event/wait PASS 12 test-aio /aio/event/flush PASS 13 test-aio /aio/event/wait/no-flush-cb ==7933==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 test-aio /aio/timer/schedule PASS 15 test-aio /aio/coroutine/queue-chaining PASS 16 test-aio /aio-gsource/flush --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-aio-multithread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-aio-multithread" PASS 13 fdc-test /x86_64/fdc/fuzz-registers PASS 1 test-aio-multithread /aio/multi/lifecycle ==7939==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ide-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ide-test" PASS 2 test-aio-multithread /aio/multi/schedule ==7957==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 ide-test /x86_64/ide/identify ==7968==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-aio-multithread /aio/multi/mutex/contended PASS 2 ide-test /x86_64/ide/flush ==7979==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 ide-test /x86_64/ide/bmdma/simple_rw ==7985==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 ide-test /x86_64/ide/bmdma/trim ==7991==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 ide-test /x86_64/ide/bmdma/short_prdt PASS 4 test-aio-multithread /aio/multi/mutex/handoff ==7997==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 ide-test /x86_64/ide/bmdma/one_sector_short_prdt PASS 5 test-aio-multithread /aio/multi/mutex/mcs ==8008==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 ide-test /x86_64/ide/bmdma/long_prdt PASS 6 test-aio-multithread /aio/multi/mutex/pthread ==8020==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-throttle -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-throttle" ==8020==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe8aa41000; bottom 0x7fb890daa000; size: 0x0045f9c97000 (300543471616) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-throttle /throttle/leak_bucket --- PASS 6 test-throttle /throttle/detach_attach PASS 7 test-throttle /throttle/config_functions PASS 8 test-throttle /throttle/accounting ==8027==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 test-throttle /throttle/groups PASS 10 test-throttle /throttle/config/enabled PASS 11 test-throttle /throttle/config/conflicting --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-thread-pool -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-thread-pool" PASS 1 test-thread-pool /thread-pool/submit PASS 2 test-thread-pool /thread-pool/submit-aio ==8034==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-thread-pool /thread-pool/submit-co PASS 4 test-thread-pool /thread-pool/submit-many PASS 9 ide-test /x86_64/ide/flush/nodev ==8105==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 ide-test /x86_64/ide/flush/empty_drive PASS 5 test-thread-pool /thread-pool/cancel ==8110==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 ide-test /x86_64/ide/flush/retry_pci ==8116==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 ide-test /x86_64/ide/flush/retry_isa PASS 6 test-thread-pool /thread-pool/cancel-async MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-hbitmap -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-hbitmap" ==8122==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-hbitmap /hbitmap/granularity PASS 2 test-hbitmap /hbitmap/size/0 PASS 3 test-hbitmap /hbitmap/size/unaligned --- PASS 10 test-hbitmap /hbitmap/set/all PASS 11 test-hbitmap /hbitmap/set/one PASS 12 test-hbitmap /hbitmap/set/two-elem ==8133==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 test-hbitmap /hbitmap/set/general PASS 14 test-hbitmap /hbitmap/set/twice PASS 15 test-hbitmap /hbitmap/set/overlap --- PASS 29 test-hbitmap /hbitmap/truncate/shrink/large PASS 30 test-hbitmap /hbitmap/meta/zero PASS 14 ide-test /x86_64/ide/cdrom/pio_large ==8139==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 ide-test /x86_64/ide/cdrom/dma MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/ahci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="ahci-test" ==8153==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 31 test-hbitmap /hbitmap/meta/one PASS 32 test-hbitmap /hbitmap/meta/byte PASS 33 test-hbitmap /hbitmap/meta/word PASS 1 ahci-test /x86_64/ahci/sanity ==8159==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 34 test-hbitmap /hbitmap/meta/sector PASS 35 test-hbitmap /hbitmap/serialize/align PASS 2 ahci-test /x86_64/ahci/pci_spec ==8165==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 ahci-test /x86_64/ahci/pci_enable ==8171==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 ahci-test /x86_64/ahci/hba_spec PASS 36 test-hbitmap /hbitmap/serialize/basic PASS 37 test-hbitmap /hbitmap/serialize/part --- PASS 39 test-hbitmap /hbitmap/next_zero/next_zero_0 PASS 40 test-hbitmap /hbitmap/next_zero/next_zero_4 PASS 41 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_0 ==8177==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 42 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_1 PASS 43 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_4 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-drain -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-drain" ==8184==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-drain /bdrv-drain/nested PASS 2 test-bdrv-drain /bdrv-drain/multiparent PASS 3 test-bdrv-drain /bdrv-drain/set_aio_context --- PASS 37 test-bdrv-drain /bdrv-drain/detach/parent_cb PASS 38 test-bdrv-drain /bdrv-drain/detach/driver_cb PASS 39 test-bdrv-drain /bdrv-drain/attach/drain ==8202==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bdrv-graph-mod -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-graph-mod" ==8230==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bdrv-graph-mod /bdrv-graph-mod/update-perm-tree PASS 2 test-bdrv-graph-mod /bdrv-graph-mod/should-update-child PASS 6 ahci-test /x86_64/ahci/identify MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob" ==8237==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob /blockjob/ids PASS 2 test-blockjob /blockjob/cancel/created PASS 3 test-blockjob /blockjob/cancel/running --- PASS 6 test-blockjob /blockjob/cancel/standby PASS 7 test-blockjob /blockjob/cancel/pending PASS 8 test-blockjob /blockjob/cancel/concluded ==8235==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-blockjob-txn -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob-txn" ==8246==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-blockjob-txn /single/success PASS 2 test-blockjob-txn /single/failure PASS 3 test-blockjob-txn /single/cancel --- PASS 7 test-blockjob-txn /pair/fail-cancel-race MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-backend -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-backend" PASS 7 ahci-test /x86_64/ahci/max ==8252==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-backend /block-backend/drain_aio_error PASS 2 test-block-backend /block-backend/drain_all_aio_error MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-block-iothread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-iothread" ==8256==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8258==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-block-iothread /sync-op/pread PASS 2 test-block-iothread /sync-op/pwrite PASS 3 test-block-iothread /sync-op/load_vmstate --- PASS 15 test-block-iothread /propagate/diamond PASS 16 test-block-iothread /propagate/mirror MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-image-locking -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-image-locking" ==8283==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-image-locking /image-locking/basic PASS 2 test-image-locking /image-locking/set-perm-abort MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-x86-cpuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid" --- PASS 8 ahci-test /x86_64/ahci/reset PASS 6 test-xbzrle /xbzrle/encode_decode MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-vmstate -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-vmstate" ==8295==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-vmstate /vmstate/tmp_struct PASS 2 test-vmstate /vmstate/simple/primitive PASS 3 test-vmstate /vmstate/simple/array --- PASS 133 test-cutils /cutils/strtosz/erange PASS 134 test-cutils /cutils/strtosz/metric MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-shift128 -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-shift128" ==8295==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd1ce38000; bottom 0x7ff8b15fe000; size: 0x00046b83a000 (18983657472) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-shift128 /host-utils/test_lshift --- PASS 9 test-int128 /int128/int128_gt PASS 10 test-int128 /int128/int128_rshift MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/rcutorture -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="rcutorture" ==8319==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8319==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffcf6c99000; bottom 0x7f2b2e1fe000; size: 0x00d1c8a9b000 (901014728704) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 10 ahci-test /x86_64/ahci/io/pio/lba28/simple/low PASS 1 rcutorture /rcu/torture/1reader ==8340==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8340==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffffd74c000; bottom 0x7fb7959fe000; size: 0x004867d4e000 (310979649536) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 11 ahci-test /x86_64/ahci/io/pio/lba28/simple/high PASS 2 rcutorture /rcu/torture/10readers MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-list -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-list" ==8362==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8362==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd9ed63000; bottom 0x7f17129fe000; size: 0x00e68c365000 (990194847744) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-rcu-list /rcu/qlist/single-threaded PASS 12 ahci-test /x86_64/ahci/io/pio/lba28/double/zero ==8381==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-rcu-list /rcu/qlist/short-few ==8381==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffcfcd6d000; bottom 0x7fb2f23fe000; size: 0x004a0a96f000 (318005243904) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 13 ahci-test /x86_64/ahci/io/pio/lba28/double/low ==8408==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8408==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffccb2b4000; bottom 0x7fcb7d3fe000; size: 0x00314deb6000 (211760668672) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 14 ahci-test /x86_64/ahci/io/pio/lba28/double/high PASS 3 test-rcu-list /rcu/qlist/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-simpleq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-simpleq" ==8414==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8414==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe6376f000; bottom 0x7fa818f7c000; size: 0x00564a7f3000 (370617036800) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-rcu-simpleq /rcu/qsimpleq/single-threaded PASS 15 ahci-test /x86_64/ahci/io/pio/lba28/long/zero ==8433==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 test-rcu-simpleq /rcu/qsimpleq/short-few ==8433==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe5bd63000; bottom 0x7fb4b0924000; size: 0x0049ab43f000 (316405968896) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 3 test-rcu-simpleq /rcu/qsimpleq/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-rcu-tailq -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-rcu-tailq" PASS 16 ahci-test /x86_64/ahci/io/pio/lba28/long/low ==8467==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-rcu-tailq /rcu/qtailq/single-threaded ==8467==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff13bf3000; bottom 0x7fddc61fe000; size: 0x00214d9f5000 (143036207104) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 17 ahci-test /x86_64/ahci/io/pio/lba28/long/high PASS 2 test-rcu-tailq /rcu/qtailq/short-few ==8479==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 18 ahci-test /x86_64/ahci/io/pio/lba28/short/zero ==8506==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-rcu-tailq /rcu/qtailq/long-many MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qdist -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qdist" PASS 1 test-qdist /qdist/none --- PASS 8 test-qdist /qdist/binning/shrink MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht" PASS 19 ahci-test /x86_64/ahci/io/pio/lba28/short/low ==8521==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 20 ahci-test /x86_64/ahci/io/pio/lba28/short/high ==8527==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8527==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc6a0f0000; bottom 0x7f23c4ffe000; size: 0x00d8a50f2000 (930482167808) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 21 ahci-test /x86_64/ahci/io/pio/lba48/simple/zero ==8533==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8533==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd09738000; bottom 0x7f92e95fe000; size: 0x006a2013a000 (455804690432) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 22 ahci-test /x86_64/ahci/io/pio/lba48/simple/low ==8539==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8539==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffdf786f000; bottom 0x7fb972dfe000; size: 0x004484a71000 (294283317248) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 23 ahci-test /x86_64/ahci/io/pio/lba48/simple/high ==8545==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8545==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff9f295000; bottom 0x7f47a3dfe000; size: 0x00b7fb497000 (790194909184) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 24 ahci-test /x86_64/ahci/io/pio/lba48/double/zero ==8551==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8551==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffddce19000; bottom 0x7f437cdfe000; size: 0x00ba6001b000 (800474640384) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 25 ahci-test /x86_64/ahci/io/pio/lba48/double/low ==8557==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8557==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe0994d000; bottom 0x7fc1291fe000; size: 0x003ce074f000 (261463797760) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 26 ahci-test /x86_64/ahci/io/pio/lba48/double/high ==8563==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8563==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe6e8d9000; bottom 0x7f4459dfe000; size: 0x00ba14adb000 (799210844160) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 27 ahci-test /x86_64/ahci/io/pio/lba48/long/zero ==8569==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8569==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff646c1000; bottom 0x7feb6effe000; size: 0x0013f56c3000 (85721886720) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 28 ahci-test /x86_64/ahci/io/pio/lba48/long/low ==8575==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8575==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe726e9000; bottom 0x7f9fe3bfe000; size: 0x005e8eaeb000 (406120738816) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 1 test-qht /qht/mode/default PASS 2 test-qht /qht/mode/resize PASS 29 ahci-test /x86_64/ahci/io/pio/lba48/long/high MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qht-par -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qht-par" ==8582==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 30 ahci-test /x86_64/ahci/io/pio/lba48/short/zero PASS 1 test-qht-par /qht/parallel/2threads-0%updates-1s ==8597==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 31 ahci-test /x86_64/ahci/io/pio/lba48/short/low PASS 2 test-qht-par /qht/parallel/2threads-20%updates-1s MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bitops -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bitops" --- PASS 5 test-bitops /bitops/half_unshuffle32 PASS 6 test-bitops /bitops/half_unshuffle64 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bitcnt -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bitcnt" ==8610==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-bitcnt /bitcnt/ctpop8 PASS 2 test-bitcnt /bitcnt/ctpop16 PASS 3 test-bitcnt /bitcnt/ctpop32 --- PASS 18 test-qemu-opts /qemu-opts/to_qdict/filtered PASS 19 test-qemu-opts /qemu-opts/to_qdict/duplicates MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-keyval -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-keyval" ==8644==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-keyval /keyval/keyval_parse PASS 2 test-keyval /keyval/keyval_parse/list PASS 3 test-keyval /keyval/visit/bool --- PASS 15 test-crypto-secret /crypto/secret/crypt/missingiv PASS 16 test-crypto-secret /crypto/secret/crypt/badiv MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-tlscredsx509 -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-tlscredsx509" ==8679==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 34 ahci-test /x86_64/ahci/io/dma/lba28/retry PASS 1 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectserver PASS 2 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/perfectclient ==8694==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca1 PASS 4 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca2 PASS 5 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodca3 --- PASS 8 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badca3 PASS 35 ahci-test /x86_64/ahci/io/dma/lba28/simple/zero PASS 9 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver1 ==8700==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver2 PASS 11 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver3 PASS 12 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver4 PASS 36 ahci-test /x86_64/ahci/io/dma/lba28/simple/low ==8706==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver5 PASS 37 ahci-test /x86_64/ahci/io/dma/lba28/simple/high PASS 14 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver6 ==8712==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/goodserver7 PASS 16 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver1 PASS 17 test-crypto-tlscredsx509 /qcrypto/tlscredsx509/badserver2 --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-tlssession -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-tlssession" PASS 38 ahci-test /x86_64/ahci/io/dma/lba28/double/zero PASS 1 test-crypto-tlssession /qcrypto/tlssession/psk ==8723==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 39 ahci-test /x86_64/ahci/io/dma/lba28/double/low PASS 2 test-crypto-tlssession /qcrypto/tlssession/basicca ==8729==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-crypto-tlssession /qcrypto/tlssession/differentca PASS 4 test-crypto-tlssession /qcrypto/tlssession/altname1 PASS 5 test-crypto-tlssession /qcrypto/tlssession/altname2 PASS 40 ahci-test /x86_64/ahci/io/dma/lba28/double/high ==8735==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 test-crypto-tlssession /qcrypto/tlssession/altname3 PASS 7 test-crypto-tlssession /qcrypto/tlssession/altname4 PASS 41 ahci-test /x86_64/ahci/io/dma/lba28/long/zero ==8741==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 test-crypto-tlssession /qcrypto/tlssession/altname5 PASS 9 test-crypto-tlssession /qcrypto/tlssession/altname6 PASS 10 test-crypto-tlssession /qcrypto/tlssession/wildcard1 PASS 42 ahci-test /x86_64/ahci/io/dma/lba28/long/low PASS 11 test-crypto-tlssession /qcrypto/tlssession/wildcard2 ==8747==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 test-crypto-tlssession /qcrypto/tlssession/wildcard3 PASS 43 ahci-test /x86_64/ahci/io/dma/lba28/long/high PASS 13 test-crypto-tlssession /qcrypto/tlssession/wildcard4 ==8753==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 test-crypto-tlssession /qcrypto/tlssession/wildcard5 PASS 15 test-crypto-tlssession /qcrypto/tlssession/wildcard6 PASS 44 ahci-test /x86_64/ahci/io/dma/lba28/short/zero PASS 16 test-crypto-tlssession /qcrypto/tlssession/cachain MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qga -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qga" ==8759==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 45 ahci-test /x86_64/ahci/io/dma/lba28/short/low PASS 1 test-qga /qga/sync-delimited PASS 2 test-qga /qga/sync --- PASS 15 test-qga /qga/invalid-cmd PASS 16 test-qga /qga/invalid-args PASS 17 test-qga /qga/fsfreeze-status ==8771==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 46 ahci-test /x86_64/ahci/io/dma/lba28/short/high PASS 18 test-qga /qga/blacklist PASS 19 test-qga /qga/config PASS 20 test-qga /qga/guest-exec PASS 21 test-qga /qga/guest-exec-invalid ==8778==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 47 ahci-test /x86_64/ahci/io/dma/lba48/simple/zero PASS 22 test-qga /qga/guest-get-osinfo PASS 23 test-qga /qga/guest-get-host-name PASS 24 test-qga /qga/guest-get-timezone PASS 25 test-qga /qga/guest-get-users MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-timed-average -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-timed-average" ==8791==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-timed-average /timed-average/average MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-util-filemonitor -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-util-filemonitor" PASS 1 test-util-filemonitor /util/filemonitor --- PASS 5 test-authz-list /auth/list/explicit/deny PASS 6 test-authz-list /auth/list/explicit/allow MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-authz-listfile -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-authz-listfile" ==8826==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-authz-listfile /auth/list/complex PASS 2 test-authz-listfile /auth/list/default/deny PASS 3 test-authz-listfile /auth/list/default/allow --- PASS 4 test-io-channel-file /io/channel/pipe/sync PASS 5 test-io-channel-file /io/channel/pipe/async MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-tls -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-tls" ==8894==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-io-channel-tls /qio/channel/tls/basic MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-io-channel-command -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-io-channel-command" PASS 50 ahci-test /x86_64/ahci/io/dma/lba48/double/zero --- PASS 17 test-crypto-pbkdf /crypto/pbkdf/nonrfc/sha384/iter1200 PASS 18 test-crypto-pbkdf /crypto/pbkdf/nonrfc/ripemd160/iter1200 MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-crypto-ivgen -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-crypto-ivgen" ==8914==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-crypto-ivgen /crypto/ivgen/plain/1 PASS 2 test-crypto-ivgen /crypto/ivgen/plain/1f2e3d4c PASS 3 test-crypto-ivgen /crypto/ivgen/plain/1f2e3d4c5b6a7988 --- PASS 51 ahci-test /x86_64/ahci/io/dma/lba48/double/low PASS 1 test-crypto-block /crypto/block/qcow MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-logging -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-logging" ==8952==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-logging /logging/parse_range PASS 2 test-logging /logging/parse_path MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-replication -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-replication" ==8964==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-replication /replication/primary/read PASS 52 ahci-test /x86_64/ahci/io/dma/lba48/double/high PASS 2 test-replication /replication/primary/write ==8969==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 test-replication /replication/primary/start PASS 4 test-replication /replication/primary/stop PASS 5 test-replication /replication/primary/do_checkpoint PASS 6 test-replication /replication/primary/get_error_all PASS 53 ahci-test /x86_64/ahci/io/dma/lba48/long/zero ==8975==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 test-replication /replication/secondary/read PASS 54 ahci-test /x86_64/ahci/io/dma/lba48/long/low PASS 8 test-replication /replication/secondary/write ==8981==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 55 ahci-test /x86_64/ahci/io/dma/lba48/long/high ==8987==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==8964==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffd896e4000; bottom 0x7fc19e0fc000; size: 0x003beb5e8000 (257351909376) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 56 ahci-test /x86_64/ahci/io/dma/lba48/short/zero ==9011==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 test-replication /replication/secondary/start PASS 57 ahci-test /x86_64/ahci/io/dma/lba48/short/low ==9017==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 58 ahci-test /x86_64/ahci/io/dma/lba48/short/high ==9023==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 59 ahci-test /x86_64/ahci/io/ncq/simple ==9029==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 test-replication /replication/secondary/stop PASS 60 ahci-test /x86_64/ahci/io/ncq/retry ==9035==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 61 ahci-test /x86_64/ahci/flush/simple ==9041==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 test-replication /replication/secondary/do_checkpoint PASS 62 ahci-test /x86_64/ahci/flush/retry ==9047==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 test-replication /replication/secondary/get_error_all ==9053==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-bufferiszero -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bufferiszero" PASS 63 ahci-test /x86_64/ahci/flush/migrate ==9066==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9071==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 64 ahci-test /x86_64/ahci/migrate/sanity ==9080==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9085==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 65 ahci-test /x86_64/ahci/migrate/dma/simple ==9094==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9099==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 66 ahci-test /x86_64/ahci/migrate/dma/halted ==9108==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9113==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 67 ahci-test /x86_64/ahci/migrate/ncq/simple PASS 1 test-bufferiszero /cutils/bufferiszero ==9122==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-uuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-uuid" PASS 1 test-uuid /uuid/is_null PASS 2 test-uuid /uuid/generate --- PASS 527 ptimer-test /ptimer/periodic_with_load_0 policy=wrap_after_one_period,continuous_trigger,no_immediate_reload,no_counter_rounddown,trigger_only_on_decrement, PASS 528 ptimer-test /ptimer/oneshot_with_load_0 policy=wrap_after_one_period,continuous_trigger,no_immediate_reload,no_counter_rounddown,trigger_only_on_decrement, MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qapi-util -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qapi-util" ==9132==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 test-qapi-util /qapi/util/qapi_enum_parse PASS 2 test-qapi-util /qapi/util/parse_qapi_name MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} tests/test-qgraph -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-qgraph" --- PASS 22 test-qgraph /qgraph/test_test_in_path PASS 23 test-qgraph /qgraph/test_double_edge PASS 68 ahci-test /x86_64/ahci/migrate/ncq/halted ==9153==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 69 ahci-test /x86_64/ahci/cdrom/eject ==9158==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 70 ahci-test /x86_64/ahci/cdrom/dma/single ==9164==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 71 ahci-test /x86_64/ahci/cdrom/dma/multi ==9170==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 72 ahci-test /x86_64/ahci/cdrom/pio/single ==9176==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==9176==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffdef5ad000; bottom 0x7f8338554000; size: 0x007ab7059000 (527056605184) False positive error reports may follow For details see https://github.com/google/sanitizers/issues/189 PASS 73 ahci-test /x86_64/ahci/cdrom/pio/multi ==9182==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 74 ahci-test /x86_64/ahci/cdrom/pio/bcl MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/hd-geo-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="hd-geo-test" PASS 1 hd-geo-test /x86_64/hd-geo/ide/none ==9196==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 hd-geo-test /x86_64/hd-geo/ide/drive/cd_0 ==9202==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/blank ==9208==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/lba ==9214==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 hd-geo-test /x86_64/hd-geo/ide/drive/mbr/chs ==9220==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 hd-geo-test /x86_64/hd-geo/ide/device/mbr/blank ==9226==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 hd-geo-test /x86_64/hd-geo/ide/device/mbr/lba ==9232==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 hd-geo-test /x86_64/hd-geo/ide/device/mbr/chs ==9238==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 hd-geo-test /x86_64/hd-geo/ide/device/user/chs ==9243==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 hd-geo-test /x86_64/hd-geo/ide/device/user/chst MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-order-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-order-test" PASS 1 boot-order-test /x86_64/boot-order/pc --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9311==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 bios-tables-test /x86_64/acpi/piix4 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9317==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 bios-tables-test /x86_64/acpi/q35 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9323==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 bios-tables-test /x86_64/acpi/piix4/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9329==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 bios-tables-test /x86_64/acpi/piix4/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9335==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 5 bios-tables-test /x86_64/acpi/piix4/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9342==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 bios-tables-test /x86_64/acpi/piix4/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9348==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 bios-tables-test /x86_64/acpi/piix4/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9354==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 bios-tables-test /x86_64/acpi/piix4/dimmpxm Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9363==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 9 bios-tables-test /x86_64/acpi/q35/bridge Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9369==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 10 bios-tables-test /x86_64/acpi/q35/mmio64 Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9375==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 11 bios-tables-test /x86_64/acpi/q35/ipmi Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9381==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 12 bios-tables-test /x86_64/acpi/q35/cpuhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9388==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 13 bios-tables-test /x86_64/acpi/q35/memhp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9394==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 14 bios-tables-test /x86_64/acpi/q35/numamem Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9400==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 15 bios-tables-test /x86_64/acpi/q35/dimmpxm MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/boot-serial-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="boot-serial-test" PASS 1 boot-serial-test /x86_64/boot-serial/isapc --- PASS 1 i440fx-test /x86_64/i440fx/defaults PASS 2 i440fx-test /x86_64/i440fx/pam PASS 3 i440fx-test /x86_64/i440fx/firmware/bios ==9484==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 i440fx-test /x86_64/i440fx/firmware/pflash MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/fw_cfg-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="fw_cfg-test" PASS 1 fw_cfg-test /x86_64/fw_cfg/signature --- MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/drive_del-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="drive_del-test" PASS 1 drive_del-test /x86_64/drive_del/without-dev PASS 2 drive_del-test /x86_64/drive_del/after_failed_device_add ==9572==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 drive_del-test /x86_64/blockdev/drive_del_device_del MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/wdt_ib700-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="wdt_ib700-test" PASS 1 wdt_ib700-test /x86_64/wdt_ib700/pause --- PASS 1 usb-hcd-uhci-test /x86_64/uhci/pci/init PASS 2 usb-hcd-uhci-test /x86_64/uhci/pci/port1 PASS 3 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug ==9767==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 usb-hcd-uhci-test /x86_64/uhci/pci/hotplug/usb-storage MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/usb-hcd-xhci-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="usb-hcd-xhci-test" PASS 1 usb-hcd-xhci-test /x86_64/xhci/pci/init PASS 2 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug ==9776==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-uas PASS 4 usb-hcd-xhci-test /x86_64/xhci/pci/hotplug/usb-ccid MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/cpu-plug-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="cpu-plug-test" --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9882==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 1 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9888==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 vmgenid-test /x86_64/vmgenid/vmgenid/set-guid-auto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9894==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 vmgenid-test /x86_64/vmgenid/vmgenid/query-monitor MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/tpm-crb-swtpm-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="tpm-crb-swtpm-test" SKIP 1 tpm-crb-swtpm-test /x86_64/tpm/crb-swtpm/test # SKIP swtpm not in PATH or missing --tpm2 support --- Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==9999==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10004==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 3 migration-test /x86_64/migration/fd_proto Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10012==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10017==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 4 migration-test /x86_64/migration/postcopy/unix PASS 5 migration-test /x86_64/migration/postcopy/recovery Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10047==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10052==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 6 migration-test /x86_64/migration/precopy/unix Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10061==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10066==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 7 migration-test /x86_64/migration/precopy/tcp Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10075==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize KVM: No such file or directory qemu-system-x86_64: Back to tcg accelerator ==10080==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 8 migration-test /x86_64/migration/xbzrle/unix MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/test-x86-cpuid-compat -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid-compat" PASS 1 test-x86-cpuid-compat /x86/cpuid/parsing-plus-minus --- PASS 6 numa-test /x86_64/numa/pc/dynamic/cpu MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))} QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 QTEST_QEMU_IMG=qemu-img tests/qmp-test -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="qmp-test" PASS 1 qmp-test /x86_64/qmp/protocol ==10409==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! PASS 2 qmp-test /x86_64/qmp/oob PASS 3 qmp-test /x86_64/qmp/preconfig PASS 4 qmp-test /x86_64/qmp/missing-any-arg --- PASS 5 device-introspect-test /x86_64/device/introspect/abstract-interfaces ================================================================= ==10657==ERROR: LeakSanitizer: detected memory leaks Direct leak of 32 byte(s) in 1 object(s) allocated from: #0 0x557397185b6e in calloc (/tmp/qemu-test/build/x86_64-softmmu/qemu-system-x86_64+0x19f9b6e) --- SUMMARY: AddressSanitizer: 64 byte(s) leaked in 2 allocation(s). /tmp/qemu-test/src/tests/libqtest.c:137: kill_qemu() tried to terminate QEMU process but encountered exit status 1 ERROR - too few tests run (expected 6, got 5) make: *** [/tmp/qemu-test/src/tests/Makefile.include:896: check-qtest-x86_64] Error 1 make: *** Waiting for unfinished jobs.... Traceback (most recent call last): The full log is available at http://patchew.org/logs/20190703135411.28436-1-berrange@redhat.com/testing.asan/?type=message. --- Email generated automatically by Patchew [https://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
On Wed, Jul 03, 2019 at 10:56:05PM +0100, Alex Bennée wrote: > > Daniel P. Berrangé <berrange@redhat.com> writes: > > > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > > claiming that the monitor console was insecure because the "migrate" > > comand enabled arbitrary command execution for a remote attacker. > > > > For this to be a flaw the user launching QEMU must have configured > > the monitor in a way that allows for other userrs to access it. The > > exploit report quoted use of the "tcp" character device backend for > > QMP. > > > > This would indeed allow any network user to connect to QEMU and > > execute arbitrary comamnds, however, this is not a flaw in QEMU. > > It is the normal expected behaviour of the monitor console and the > > commands it supports. Given a monitor connection, there are many > > ways to access host filesystem content besides the migrate command. > > > > The reality is that the monitor console (whether QMP or HMP) is > > considered a privileged interface to QEMU and as such must only > > be made available to trusted users. IOW, making it available with > > no authentication over TCP is simply a, very serious, user > > configuration error not a security flaw in QEMU itself. > > Is this the sort of thing we should emit warnings for? I guess this is a > philosophical question as QEMU tends to err towards being taciturn on > the command line unless something is actually wrong (and not just > stupid). > > I wouldn't expect a warning for -serial mon:stdio but maybe a > non-localhost tcp chardev for o+rw socket might be worth a mention? Of > course this sort of sanitising of the command line options does incur > cost and complexity in our option processing. The challenge with issuing warnings is ensuring that we don't give false positives, and that's pretty much impossible IMHO. Even use of plain non-localhost TCP chardevs can be valid in some circumstances. For example it would not be surprising to see it used if QEMU was inside a Kubernetes container, as two containers can communicate with each other over IP & rely on Kubernetes networking layer to provide security Regards, Daniel
Daniel P. Berrangé <berrange@redhat.com> writes: > On Wed, Jul 03, 2019 at 10:56:05PM +0100, Alex Bennée wrote: >> >> Daniel P. Berrangé <berrange@redhat.com> writes: <snip> >> > The reality is that the monitor console (whether QMP or HMP) is >> > considered a privileged interface to QEMU and as such must only >> > be made available to trusted users. IOW, making it available with >> > no authentication over TCP is simply a, very serious, user >> > configuration error not a security flaw in QEMU itself. >> >> Is this the sort of thing we should emit warnings for? I guess this is a >> philosophical question as QEMU tends to err towards being taciturn on >> the command line unless something is actually wrong (and not just >> stupid). >> >> I wouldn't expect a warning for -serial mon:stdio but maybe a >> non-localhost tcp chardev for o+rw socket might be worth a mention? Of >> course this sort of sanitising of the command line options does incur >> cost and complexity in our option processing. > > The challenge with issuing warnings is ensuring that we don't give > false positives, and that's pretty much impossible IMHO. > > Even use of plain non-localhost TCP chardevs can be valid in some > circumstances. For example it would not be surprising to see it > used if QEMU was inside a Kubernetes container, as two containers > can communicate with each other over IP & rely on Kubernetes > networking layer to provide security That's certainly a valid setup - you're right this is really a policy question. Oh well I guess if your serious about security you read the documentation before going to production right ;-) I assume libvirt et all strive to use secure configurations by default? > > Regards, > Daniel -- Alex Bennée
On Thu, Jul 04, 2019 at 10:16:20AM +0100, Alex Bennée wrote: > > Daniel P. Berrangé <berrange@redhat.com> writes: > > > On Wed, Jul 03, 2019 at 10:56:05PM +0100, Alex Bennée wrote: > >> > >> Daniel P. Berrangé <berrange@redhat.com> writes: > <snip> > >> > The reality is that the monitor console (whether QMP or HMP) is > >> > considered a privileged interface to QEMU and as such must only > >> > be made available to trusted users. IOW, making it available with > >> > no authentication over TCP is simply a, very serious, user > >> > configuration error not a security flaw in QEMU itself. > >> > >> Is this the sort of thing we should emit warnings for? I guess this is a > >> philosophical question as QEMU tends to err towards being taciturn on > >> the command line unless something is actually wrong (and not just > >> stupid). > >> > >> I wouldn't expect a warning for -serial mon:stdio but maybe a > >> non-localhost tcp chardev for o+rw socket might be worth a mention? Of > >> course this sort of sanitising of the command line options does incur > >> cost and complexity in our option processing. > > > > The challenge with issuing warnings is ensuring that we don't give > > false positives, and that's pretty much impossible IMHO. > > > > Even use of plain non-localhost TCP chardevs can be valid in some > > circumstances. For example it would not be surprising to see it > > used if QEMU was inside a Kubernetes container, as two containers > > can communicate with each other over IP & rely on Kubernetes > > networking layer to provide security > > That's certainly a valid setup - you're right this is really a policy > question. Oh well I guess if your serious about security you read the > documentation before going to production right ;-) > > I assume libvirt et all strive to use secure configurations by default? Yes, libvirt exclusively uses a UNIX domain socket for the monitor, and of course even if we used a TCP socket, the SELinux/AppArmour policy will block any attempts at elevating privs via QMP commands that spawn processes or try to access arbitrary files. Regards, Daniel
Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 04, 2019 at 10:16:20AM +0100, Alex Bennée wrote: >> >> Daniel P. Berrangé <berrange@redhat.com> writes: >> >> > On Wed, Jul 03, 2019 at 10:56:05PM +0100, Alex Bennée wrote: >> >> >> >> Daniel P. Berrangé <berrange@redhat.com> writes: >> <snip> >> >> > The reality is that the monitor console (whether QMP or HMP) is >> >> > considered a privileged interface to QEMU and as such must only >> >> > be made available to trusted users. IOW, making it available with >> >> > no authentication over TCP is simply a, very serious, user >> >> > configuration error not a security flaw in QEMU itself. >> >> >> >> Is this the sort of thing we should emit warnings for? I guess this is a >> >> philosophical question as QEMU tends to err towards being taciturn on >> >> the command line unless something is actually wrong (and not just >> >> stupid). >> >> >> >> I wouldn't expect a warning for -serial mon:stdio but maybe a >> >> non-localhost tcp chardev for o+rw socket might be worth a mention? Of >> >> course this sort of sanitising of the command line options does incur >> >> cost and complexity in our option processing. >> > >> > The challenge with issuing warnings is ensuring that we don't give >> > false positives, and that's pretty much impossible IMHO. >> > >> > Even use of plain non-localhost TCP chardevs can be valid in some >> > circumstances. For example it would not be surprising to see it >> > used if QEMU was inside a Kubernetes container, as two containers >> > can communicate with each other over IP & rely on Kubernetes >> > networking layer to provide security >> >> That's certainly a valid setup - you're right this is really a policy >> question. Oh well I guess if your serious about security you read the >> documentation before going to production right ;-) >> >> I assume libvirt et all strive to use secure configurations by default? > > Yes, libvirt exclusively uses a UNIX domain socket for the monitor, and > of course even if we used a TCP socket, the SELinux/AppArmour policy > will block any attempts at elevating privs via QMP commands that spawn > processes or try to access arbitrary files. Maybe this would make a good topic for a QEMU blog post? -- Alex Bennée
Daniel P. Berrangé <berrange@redhat.com> writes: > A supposed exploit of QEMU was recently announced as CVE-2019-12928 > claiming that the monitor console was insecure because the "migrate" > comand enabled arbitrary command execution for a remote attacker. > > For this to be a flaw the user launching QEMU must have configured > the monitor in a way that allows for other userrs to access it. The > exploit report quoted use of the "tcp" character device backend for > QMP. > > This would indeed allow any network user to connect to QEMU and > execute arbitrary comamnds, however, this is not a flaw in QEMU. > It is the normal expected behaviour of the monitor console and the > commands it supports. Given a monitor connection, there are many > ways to access host filesystem content besides the migrate command. > > The reality is that the monitor console (whether QMP or HMP) is > considered a privileged interface to QEMU and as such must only > be made available to trusted users. IOW, making it available with > no authentication over TCP is simply a, very serious, user > configuration error not a security flaw in QEMU itself. https://xkcd.com/2166/ > The one thing this bogus security report highlights though is that > we have not clearly documented the security implications around the > use of the monitor. Add a few paragraphs of text to the security > docs explaining why the monitor is a privileged interface and making > a recommendation to only use the UNIX socket character device backend. Good idea. > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/docs/security.texi b/docs/security.texi > index 927764f1e6..5bff01449d 100644 > --- a/docs/security.texi > +++ b/docs/security.texi > @@ -129,3 +129,39 @@ those resources that were granted to it. > system calls that are not needed by QEMU, thereby reducing the host kernel > attack surface. > @end itemize > + > +@section Sensitive configurations > + > +There are aspects of QEMU that can have non-obvious security implications Is calling the implications "non-obvious" useful? One guy's "non-obvious" can be the next guy's "trivial"... > +which users & management applications must be aware of. > + > +@subsection Monitor console (QMP and HMP) > + > +The monitor console (whether used with QMP or HMP) provides an RPC interface "RPC" is unnecessary detail I find distracting (and not entirely fitting besides). Please scratch it. > +to dynamically control many aspects of QEMU's runtime operation. Many of the > +commands exposed will instruct QEMU to access content on the host filesysystem > +and/or trigger spawning of external processes. > + > +For example, the @code{migrate} command allows for the spawning of arbitrary > +processes for the purpose of tunnelling the migration data stream. The > +@code{blockdev-add} command instructs QEMU to open arbitrary files, exposing > +their content to the guest as a virtual disk. > + > +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, > +or Linux namespaces, the monitor console should be considered to have privileges > +equivalent to those of the user account QEMU is running under. > + > +It is further important to consider the security of the character device backend > +over which the monitor console is exposed. It needs to have protection against > +malicious third parties which might try to make unauthorized connections, or > +perform man-in-the-middle attacks. Many of the character device backends do not > +satisfy this requirement and so must not be used for the monitor console. > + > +The general recommendation is that the monitor console should be exposed over > +a UNIX domain socket backend to the local host only. Use of the TCP based > +character device backend is inappropriate unless configured to use both TLS > +encryption and authorization control policy on client connections. > + > +In summary the monitor console is considered a privileged control interface to > +QEMU and as such should only be made accessible to a trusted management > +application or user. With "RPC" scratched: Reviewed-by: Markus Armbruster <armbru@redhat.com>
diff --git a/docs/security.texi b/docs/security.texi index 927764f1e6..5bff01449d 100644 --- a/docs/security.texi +++ b/docs/security.texi @@ -129,3 +129,39 @@ those resources that were granted to it. system calls that are not needed by QEMU, thereby reducing the host kernel attack surface. @end itemize + +@section Sensitive configurations + +There are aspects of QEMU that can have non-obvious security implications +which users & management applications must be aware of. + +@subsection Monitor console (QMP and HMP) + +The monitor console (whether used with QMP or HMP) provides an RPC interface +to dynamically control many aspects of QEMU's runtime operation. Many of the +commands exposed will instruct QEMU to access content on the host filesysystem +and/or trigger spawning of external processes. + +For example, the @code{migrate} command allows for the spawning of arbitrary +processes for the purpose of tunnelling the migration data stream. The +@code{blockdev-add} command instructs QEMU to open arbitrary files, exposing +their content to the guest as a virtual disk. + +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, +or Linux namespaces, the monitor console should be considered to have privileges +equivalent to those of the user account QEMU is running under. + +It is further important to consider the security of the character device backend +over which the monitor console is exposed. It needs to have protection against +malicious third parties which might try to make unauthorized connections, or +perform man-in-the-middle attacks. Many of the character device backends do not +satisfy this requirement and so must not be used for the monitor console. + +The general recommendation is that the monitor console should be exposed over +a UNIX domain socket backend to the local host only. Use of the TCP based +character device backend is inappropriate unless configured to use both TLS +encryption and authorization control policy on client connections. + +In summary the monitor console is considered a privileged control interface to +QEMU and as such should only be made accessible to a trusted management +application or user.
A supposed exploit of QEMU was recently announced as CVE-2019-12928 claiming that the monitor console was insecure because the "migrate" comand enabled arbitrary command execution for a remote attacker. For this to be a flaw the user launching QEMU must have configured the monitor in a way that allows for other userrs to access it. The exploit report quoted use of the "tcp" character device backend for QMP. This would indeed allow any network user to connect to QEMU and execute arbitrary comamnds, however, this is not a flaw in QEMU. It is the normal expected behaviour of the monitor console and the commands it supports. Given a monitor connection, there are many ways to access host filesystem content besides the migrate command. The reality is that the monitor console (whether QMP or HMP) is considered a privileged interface to QEMU and as such must only be made available to trusted users. IOW, making it available with no authentication over TCP is simply a, very serious, user configuration error not a security flaw in QEMU itself. The one thing this bogus security report highlights though is that we have not clearly documented the security implications around the use of the monitor. Add a few paragraphs of text to the security docs explaining why the monitor is a privileged interface and making a recommendation to only use the UNIX socket character device backend. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+)