Vladimir Sementsov-Ogievskiy
2022-Dec-16 19:32 UTC
[Libguestfs] [PATCH v2 1/6] spec: Recommend cap on NBD_REPLY_TYPE_BLOCK_STATUS length
On 11/15/22 01:46, Eric Blake wrote:> The spec was silent on how many extents a server could reply with. > However, both qemu and nbdkit (the two server implementations known to > have implemented the NBD_CMD_BLOCK_STATUS extension) implement a hard > cap, and will truncate the amount of extents in a reply to avoid > sending a client a reply so large that the client would treat it as a > denial of service attack. Clients currently have no way during > negotiation to request such a limit of the server, so it is easier to > just document this as a restriction on viable server implementations > than to add yet another round of handshaking. Also, mentioning > amplification effects is worthwhile. > > When qemu first implemented NBD_CMD_BLOCK_STATUS for the > base:allocation context (qemu commit e7b1948d51, Mar 2018), it behaved > as if NBD_CMD_FLAG_REQ_ONE were always passed by the client, and never > responded with more than one extent. Later, when adding its > qemu:dirty-bitmap:XYZ context extension (qemu commit 3d068aff16, Jun > 2018), it added a cap to 128k extents (1M+4 bytes), and that cap was > applied to base:allocation once qemu started sending multiple extents > for that context as well (qemu commit fb7afc797e, Jul 2018). Qemu > extents are never smaller than 512 bytes (other than an exception at > the end of a file whose size is not aligned to 512), but even so, a > request for just under 4G of block status could produce 8M extents, > resulting in a reply of 64M if it were not capped smaller. > > When nbdkit first implemented NBD_CMD_BLOCK_STATUS (nbdkit 4ca66f70a5, > Mar 2019), it did not impose any restriction on the number of extents > in the reply chunk. But because it allows extents as small as one > byte, it is easy to write a server that can amplify a client's request > of status over 1M of the image into a reply over 8M in size, and it > was very easy to demonstrate that a hard cap was needed to avoid > crashing clients or otherwise killing the connection (a bad server > impacting the client negatively). So nbdkit enforced a bound of 1M > extents (8M+4 bytes, nbdkit commit 6e0dc839ea, Jun 2019). [Unrelated > to this patch, but worth noting for history: nbdkit's situation also > has to deal with the fact that it is designed for plugin server > implementations; and not capping the number of extents in a reply also > posed a problem to nbdkit as the server, where a plugin could exhaust > memory and kill the server, unrelated to any size constraints enforced > by a client.] > > Since the limit chosen by these two implementations is different, and > since nbdkit has versions that were not limited, add this as a SHOULD > NOT instead of MUST NOT constraint on servers implementing block > status. It does not matter that qemu picked a smaller limit that it > truncates to, since we have already documented that the server may > truncate for other reasons (such as it being inefficient to collect > that many extents in the first place). But documenting the limit now > becomes even more important in the face of a future addition of 64-bit > requests, where a client's request is no longer bounded to 4G and > could thereby produce even more than 8M extents for the corner case > when every 512 bytes is a new extent, if it were not for this > recommendation.s-o-b line missed. Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov at yandex-team.ru> -- Best regards, Vladimir
Eric Blake
2023-Mar-03 22:17 UTC
[Libguestfs] [PATCH v2 1/6] spec: Recommend cap on NBD_REPLY_TYPE_BLOCK_STATUS length
On Fri, Dec 16, 2022 at 10:32:01PM +0300, Vladimir Sementsov-Ogievskiy wrote:> On 11/15/22 01:46, Eric Blake wrote: > > The spec was silent on how many extents a server could reply with. > > However, both qemu and nbdkit (the two server implementations known to > > have implemented the NBD_CMD_BLOCK_STATUS extension) implement a hard > > cap, and will truncate the amount of extents in a reply to avoid > > sending a client a reply so large that the client would treat it as a > > denial of service attack. Clients currently have no way during > > negotiation to request such a limit of the server, so it is easier to > > just document this as a restriction on viable server implementations > > than to add yet another round of handshaking. Also, mentioning > > amplification effects is worthwhile. > > > > When qemu first implemented NBD_CMD_BLOCK_STATUS for the > > base:allocation context (qemu commit e7b1948d51, Mar 2018), it behaved > > as if NBD_CMD_FLAG_REQ_ONE were always passed by the client, and never > > responded with more than one extent. Later, when adding its > > qemu:dirty-bitmap:XYZ context extension (qemu commit 3d068aff16, Jun > > 2018), it added a cap to 128k extents (1M+4 bytes), and that cap was > > applied to base:allocation once qemu started sending multiple extents > > for that context as well (qemu commit fb7afc797e, Jul 2018). Qemu > > extents are never smaller than 512 bytes (other than an exception at > > the end of a file whose size is not aligned to 512), but even so, a > > request for just under 4G of block status could produce 8M extents, > > resulting in a reply of 64M if it were not capped smaller. > > > > When nbdkit first implemented NBD_CMD_BLOCK_STATUS (nbdkit 4ca66f70a5, > > Mar 2019), it did not impose any restriction on the number of extents > > in the reply chunk. But because it allows extents as small as one > > byte, it is easy to write a server that can amplify a client's request > > of status over 1M of the image into a reply over 8M in size, and it > > was very easy to demonstrate that a hard cap was needed to avoid > > crashing clients or otherwise killing the connection (a bad server > > impacting the client negatively). So nbdkit enforced a bound of 1M > > extents (8M+4 bytes, nbdkit commit 6e0dc839ea, Jun 2019). [Unrelated > > to this patch, but worth noting for history: nbdkit's situation also > > has to deal with the fact that it is designed for plugin server > > implementations; and not capping the number of extents in a reply also > > posed a problem to nbdkit as the server, where a plugin could exhaust > > memory and kill the server, unrelated to any size constraints enforced > > by a client.] > > > > Since the limit chosen by these two implementations is different, and > > since nbdkit has versions that were not limited, add this as a SHOULD > > NOT instead of MUST NOT constraint on servers implementing block > > status. It does not matter that qemu picked a smaller limit that it > > truncates to, since we have already documented that the server may > > truncate for other reasons (such as it being inefficient to collect > > that many extents in the first place). But documenting the limit now > > becomes even more important in the face of a future addition of 64-bit > > requests, where a client's request is no longer bounded to 4G and > > could thereby produce even more than 8M extents for the corner case > > when every 512 bytes is a new extent, if it were not for this > > recommendation. > > s-o-b line missed.I'm not sure if the NBD project has a strict policy on including one, but I don't mind adding it.> > > Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov at yandex-team.ru> > > -- > Best regards, > Vladimir >-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
Apparently Analagous Threads
- [PATCH v2 1/6] spec: Recommend cap on NBD_REPLY_TYPE_BLOCK_STATUS length
- [PATCH v2 1/6] spec: Recommend cap on NBD_REPLY_TYPE_BLOCK_STATUS length
- Re: nbdkit & qemu 2.12: qemu-img: Protocol error: simple reply when structured reply chunk was expected
- nbdkit & qemu 2.12: qemu-img: Protocol error: simple reply when structured reply chunk was expected
- Re: nbdkit & qemu 2.12: qemu-img: Protocol error: simple reply when structured reply chunk was expected