| Message ID | 20230627160943.2956928-36-alex.bennee@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | maintainer omnibus: testing, fuzz, plugins, documentation, gdbstub (pre-PR) | expand |
On 27/6/23 18:09, Alex Bennée wrote: > From: Ilya Leoshkevich <iii@linux.ibm.com> > > Now that the GDB stub explicitly implements reading host files (note > that it was already possible by changing the emulated code to open and > read those files), concerns may arise that it undermines security. > > Document the status quo, which is that the users are already > responsible for securing the GDB connection themselves. > > Reviewed-by: Alex Bennée <alex.bennee@linaro.org> > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> > Message-Id: <20230621203627.1808446-8-iii@linux.ibm.com> > Signed-off-by: Alex Bennée <alex.bennee@linaro.org> > --- > docs/system/gdb.rst | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst index 7d3718deef..9906991b84 100644 --- a/docs/system/gdb.rst +++ b/docs/system/gdb.rst @@ -214,3 +214,18 @@ The memory mode can be checked by sending the following command: ``maintenance packet Qqemu.PhyMemMode:0`` This will change it back to normal memory mode. + +Security considerations +======================= + +Connecting to the GDB socket allows running arbitrary code inside the guest; +in case of the TCG emulation, which is not considered a security boundary, this +also means running arbitrary code on the host. Additionally, when debugging +qemu-user, it allows directly downloading any file readable by QEMU from the +host. + +The GDB socket is not protected by authentication, authorization or encryption. +It is therefore a responsibility of the user to make sure that only authorized +clients can connect to it, e.g., by using a unix socket with proper +permissions, or by opening a TCP socket only on interfaces that are not +reachable by potential attackers.