* Paolo Bonzini (pbonz...@redhat.com) wrote: > On 15/11/2017 13:51, Daniel P. Berrange wrote: > > If you're concerned that someone is tampering with QEMU state > > in transit during migration, then you're going to end up playing > > whack-a-mole across the entire QEMU codebase IMHO. The answer > > to the problem of tampering is to have encryption of the > > migration data stream between both QEMU's. Thus QEMU on the > > target merely has to trust QEMU on the source. If QEMU on the > > source is itself compromised you've already lost and migration > > won't make life any worse. > > > > This is not entirely true. A lot of such cases were fixed in the past, > especially when they could cause out-of-bounds access. Someone could > provide a bad migration stream (e.g. as a fake bug report!), so > migration data should not be considered trusted.
There's probably others to be honest; it's not something we've traditionally been careful of. > However, PJP's patch breaks migration by changing a 4-byte field to > 1-byte. The correct fix is to range-check the fields in > ps2_common_post_load. Agreed. Dave > Thanks, > > Paolo > -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
