QEMU-KVM / detect_zeroes causes KVM to start unlimited number of threads on Guest-Sided High-IO with big Blocksize
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Invalid
|
Undecided
|
Unassigned | ||
Ubuntu |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
QEMU-KVM in combination with "detect_zeroes=on" makes a Guest able to DoS the Host. This is possible if the Host itself has "detect_zeroes" enabled and the Guest writes a large Chunk of data with a huge blocksize onto the drive.
E.g.: dd if=/dev/zero of=/tmp/DoS bs=1G count=1 oflag=direct
All QEMU-Versions after implementation of detect_zeroes are affected. Prior are unaffected. This is absolutely critical, please fix this ASAP!
#####
Provided by Dominik Csapak:
source , bs , count , O_DIRECT, behaviour
urandom , bs 1M, count 1024, O_DIRECT: OK
file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
discard on:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, O_DIRECT: NOT OK
zero file , bs 1G, count 1, no O_DIRECT: NOT OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
detect_zeros off:
urandom , bs 1M, count 1024, O_DIRECT: OK
rand file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1M, count 1024, O_DIRECT: OK
zero file , bs 1M, count 1024, O_DIRECT: OK
/dev/zero , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, O_DIRECT: OK
zero file , bs 1G, count 1, no O_DIRECT: OK
rand file , bs 1G, count 1, O_DIRECT: OK
rand file , bs 1G, count 1, no O_DIRECT: OK
#####
Provided by Florian Strankowski
bs - count - io-threads
512K - 2048 - 2
1M - 1024 - 2
2M - 512 - 4
4M - 256 - 6
8M - 128 - 10
16M - 64 - 18
32M - 32 - uncountable
Please refer to further information here:
information type: | Public → Public Security |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
Changed in qemu: | |
status: | New → Confirmed |
Sorry ab out the visibility settings, this bugtracker drives me nuts.