403Webshell
Server IP : 172.67.134.114  /  Your IP : 162.159.115.41
Web Server : Apache/2.4.37
System : Linux almalinux.duckdns.org 4.18.0-553.111.1.el8_10.x86_64 #1 SMP Sun Mar 8 20:06:07 EDT 2026 x86_64
User : ricodeal ( 1046)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /usr/share/doc/qemu-kvm/devel/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /usr/share/doc/qemu-kvm/devel/secure-coding-practices.html

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>Secure Coding Practices &mdash; QEMU qemu-kvm-6.2.0-53.module_el8.10.0+4110+4a319788.6 documentation</title>
  

  
  
    <link rel="shortcut icon" href="../_static/qemu_32x32.png"/>
  
  
  

  

  
  
    

  

  
    <link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
  <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Translator Internals" href="tcg.html" />
    <link rel="prev" title="Decodetree Specification" href="decodetree.html" /> 

  
  <script src="../_static/js/modernizr.min.js"></script>

</head>

<body class="wy-body-for-nav">

   
  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search">
          

          
            <a href="../index.html" class="icon icon-home"> QEMU
          

          
            
            <img src="../_static/qemu_128x128.png" class="logo" alt="Logo"/>
          
          </a>

          
            
            
              <div class="version">
                6.2.0
              </div>
            
          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <p class="caption"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../about/index.html">About QEMU</a></li>
<li class="toctree-l1"><a class="reference internal" href="../system/index.html">System Emulation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">User Mode Emulation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../interop/index.html">System Emulation Management and Interoperability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">System Emulation Guest Hardware Specifications</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Developer Information</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="code-of-conduct.html">Code of Conduct</a></li>
<li class="toctree-l2"><a class="reference internal" href="conflict-resolution.html">Conflict Resolution Policy</a></li>
<li class="toctree-l2"><a class="reference internal" href="build-system.html">The QEMU build system architecture</a></li>
<li class="toctree-l2"><a class="reference internal" href="style.html">QEMU Coding Style</a></li>
<li class="toctree-l2"><a class="reference internal" href="kconfig.html">QEMU and Kconfig</a></li>
<li class="toctree-l2"><a class="reference internal" href="testing.html">Testing in QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="fuzzing.html">Fuzzing</a></li>
<li class="toctree-l2"><a class="reference internal" href="control-flow-integrity.html">Control-Flow Integrity (CFI)</a></li>
<li class="toctree-l2"><a class="reference internal" href="loads-stores.html">Load and Store APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="memory.html">The memory API</a></li>
<li class="toctree-l2"><a class="reference internal" href="migration.html">Migration</a></li>
<li class="toctree-l2"><a class="reference internal" href="atomics.html">Atomic operations in QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="stable-process.html">QEMU and the stable process</a></li>
<li class="toctree-l2"><a class="reference internal" href="ci.html">CI</a></li>
<li class="toctree-l2"><a class="reference internal" href="qtest.html">QTest Device Emulation Testing Framework</a></li>
<li class="toctree-l2"><a class="reference internal" href="decodetree.html">Decodetree Specification</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Secure Coding Practices</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#reporting-security-bugs">Reporting Security Bugs</a></li>
<li class="toctree-l3"><a class="reference internal" href="#general-secure-c-coding-practices">General Secure C Coding Practices</a></li>
<li class="toctree-l3"><a class="reference internal" href="#input-validation">Input Validation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#unexpected-device-accesses">Unexpected Device Accesses</a></li>
<li class="toctree-l3"><a class="reference internal" href="#live-migration">Live Migration</a></li>
<li class="toctree-l3"><a class="reference internal" href="#guest-memory-access-races">Guest Memory Access Races</a></li>
<li class="toctree-l3"><a class="reference internal" href="#use-of-null-co-block-drivers">Use of null-co block drivers</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="tcg.html">Translator Internals</a></li>
<li class="toctree-l2"><a class="reference internal" href="tcg-icount.html">TCG Instruction Counting</a></li>
<li class="toctree-l2"><a class="reference internal" href="tracing.html">Tracing</a></li>
<li class="toctree-l2"><a class="reference internal" href="multi-thread-tcg.html">Multi-threaded TCG</a></li>
<li class="toctree-l2"><a class="reference internal" href="tcg-plugins.html">QEMU TCG Plugins</a></li>
<li class="toctree-l2"><a class="reference internal" href="bitops.html">Bitwise operations</a></li>
<li class="toctree-l2"><a class="reference internal" href="ui.html">QEMU UI subsystem</a></li>
<li class="toctree-l2"><a class="reference internal" href="reset.html">Reset in QEMU: the Resettable interface</a></li>
<li class="toctree-l2"><a class="reference internal" href="s390-dasd-ipl.html">Booting from real channel-attached devices on s390x</a></li>
<li class="toctree-l2"><a class="reference internal" href="clocks.html">Modelling a clock tree in QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="qom.html">The QEMU Object Model (QOM)</a></li>
<li class="toctree-l2"><a class="reference internal" href="modules.html">QEMU modules</a></li>
<li class="toctree-l2"><a class="reference internal" href="block-coroutine-wrapper.html">block-coroutine-wrapper</a></li>
<li class="toctree-l2"><a class="reference internal" href="multi-process.html">Multi-process QEMU</a></li>
<li class="toctree-l2"><a class="reference internal" href="ebpf_rss.html">eBPF RSS virtio-net support</a></li>
<li class="toctree-l2"><a class="reference internal" href="vfio-migration.html">VFIO device Migration</a></li>
<li class="toctree-l2"><a class="reference internal" href="qapi-code-gen.html">How to use the QAPI code generator</a></li>
<li class="toctree-l2"><a class="reference internal" href="writing-monitor-commands.html">How to write monitor commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="trivial-patches.html">Trivial Patches</a></li>
<li class="toctree-l2"><a class="reference internal" href="submitting-a-patch.html">Submitting a Patch</a></li>
<li class="toctree-l2"><a class="reference internal" href="submitting-a-pull-request.html">Submitting a Pull Request</a></li>
</ul>
</li>
</ul>

            
          
        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../index.html">QEMU</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../index.html">Docs</a> &raquo;</li>
        
          <li><a href="index.html">Developer Information</a> &raquo;</li>
        
      <li>Secure Coding Practices</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
            
            
              <a href="https://gitlab.com/qemu-project/qemu/blob/master/docs/devel/secure-coding-practices.rst" class="fa fa-gitlab"> Edit on GitLab</a>
            
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
  <div class="section" id="secure-coding-practices">
<h1>Secure Coding Practices<a class="headerlink" href="#secure-coding-practices" title="Permalink to this headline">¶</a></h1>
<p>This document covers topics that both developers and security researchers must
be aware of so that they can develop safe code and audit existing code
properly.</p>
<div class="section" id="reporting-security-bugs">
<h2>Reporting Security Bugs<a class="headerlink" href="#reporting-security-bugs" title="Permalink to this headline">¶</a></h2>
<p>For details on how to report security bugs or ask questions about potential
security bugs, see the <a class="reference external" href="https://wiki.qemu.org/SecurityProcess">Security Process wiki page</a>.</p>
</div>
<div class="section" id="general-secure-c-coding-practices">
<h2>General Secure C Coding Practices<a class="headerlink" href="#general-secure-c-coding-practices" title="Permalink to this headline">¶</a></h2>
<p>Most CVEs (security bugs) reported against QEMU are not specific to
virtualization or emulation.  They are simply C programming bugs.  Therefore
it’s critical to be aware of common classes of security bugs.</p>
<p>There is a wide selection of resources available covering secure C coding.  For
example, the <a class="reference external" href="https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard">CERT C Coding Standard</a>
covers the most important classes of security bugs.</p>
<p>Instead of describing them in detail here, only the names of the most important
classes of security bugs are mentioned:</p>
<ul class="simple">
<li>Buffer overflows</li>
<li>Use-after-free and double-free</li>
<li>Integer overflows</li>
<li>Format string vulnerabilities</li>
</ul>
<p>Some of these classes of bugs can be detected by analyzers.  Static analysis is
performed regularly by Coverity and the most obvious of these bugs are even
reported by compilers.  Dynamic analysis is possible with valgrind, tsan, and
asan.</p>
</div>
<div class="section" id="input-validation">
<h2>Input Validation<a class="headerlink" href="#input-validation" title="Permalink to this headline">¶</a></h2>
<p>Inputs from the guest or external sources (e.g. network, files) cannot be
trusted and may be invalid.  Inputs must be checked before using them in a way
that could crash the program, expose host memory to the guest, or otherwise be
exploitable by an attacker.</p>
<p>The most sensitive attack surface is device emulation.  All hardware register
accesses and data read from guest memory must be validated.  A typical example
is a device that contains multiple units that are selectable by the guest via
an index register:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">typedef</span> <span class="n">struct</span> <span class="p">{</span>
    <span class="n">ProcessingUnit</span> <span class="n">unit</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span>
    <span class="o">...</span>
<span class="p">}</span> <span class="n">MyDeviceState</span><span class="p">;</span>

<span class="n">static</span> <span class="n">void</span> <span class="n">mydev_writel</span><span class="p">(</span><span class="n">void</span> <span class="o">*</span><span class="n">opaque</span><span class="p">,</span> <span class="n">uint32_t</span> <span class="n">addr</span><span class="p">,</span> <span class="n">uint32_t</span> <span class="n">val</span><span class="p">)</span>
<span class="p">{</span>
    <span class="n">MyDeviceState</span> <span class="o">*</span><span class="n">mydev</span> <span class="o">=</span> <span class="n">opaque</span><span class="p">;</span>
    <span class="n">ProcessingUnit</span> <span class="o">*</span><span class="n">unit</span><span class="p">;</span>

    <span class="n">switch</span> <span class="p">(</span><span class="n">addr</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">case</span> <span class="n">MYDEV_SELECT_UNIT</span><span class="p">:</span>
        <span class="n">unit</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">mydev</span><span class="o">-&gt;</span><span class="n">unit</span><span class="p">[</span><span class="n">val</span><span class="p">];</span>   <span class="o">&lt;--</span> <span class="n">this</span> <span class="nb">input</span> <span class="n">wasn</span><span class="s1">&#39;t validated!</span>
        <span class="o">...</span>
    <span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>If <code class="docutils literal notranslate"><span class="pre">val</span></code> is not in range [0, 1] then an out-of-bounds memory access will take
place when <code class="docutils literal notranslate"><span class="pre">unit</span></code> is dereferenced.  The code must check that <code class="docutils literal notranslate"><span class="pre">val</span></code> is 0 or
1 and handle the case where it is invalid.</p>
</div>
<div class="section" id="unexpected-device-accesses">
<h2>Unexpected Device Accesses<a class="headerlink" href="#unexpected-device-accesses" title="Permalink to this headline">¶</a></h2>
<p>The guest may access device registers in unusual orders or at unexpected
moments.  Device emulation code must not assume that the guest follows the
typical “theory of operation” presented in driver writer manuals.  The guest
may make nonsense accesses to device registers such as starting operations
before the device has been fully initialized.</p>
<p>A related issue is that device emulation code must be prepared for unexpected
device register accesses while asynchronous operations are in progress.  A
well-behaved guest might wait for a completion interrupt before accessing
certain device registers.  Device emulation code must handle the case where the
guest overwrites registers or submits further requests before an ongoing
request completes.  Unexpected accesses must not cause memory corruption or
leaks in QEMU.</p>
<p>Invalid device register accesses can be reported with
<code class="docutils literal notranslate"><span class="pre">qemu_log_mask(LOG_GUEST_ERROR,</span> <span class="pre">...)</span></code>.  The <code class="docutils literal notranslate"><span class="pre">-d</span> <span class="pre">guest_errors</span></code> command-line
option enables these log messages.</p>
</div>
<div class="section" id="live-migration">
<h2>Live Migration<a class="headerlink" href="#live-migration" title="Permalink to this headline">¶</a></h2>
<p>Device state can be saved to disk image files and shared with other users.
Live migration code must validate inputs when loading device state so an
attacker cannot gain control by crafting invalid device states.  Device state
is therefore considered untrusted even though it is typically generated by QEMU
itself.</p>
</div>
<div class="section" id="guest-memory-access-races">
<h2>Guest Memory Access Races<a class="headerlink" href="#guest-memory-access-races" title="Permalink to this headline">¶</a></h2>
<p>Guests with multiple vCPUs may modify guest RAM while device emulation code is
running.  Device emulation code must copy in descriptors and other guest RAM
structures and only process the local copy.  This prevents
time-of-check-to-time-of-use (TOCTOU) race conditions that could cause QEMU to
crash when a vCPU thread modifies guest RAM while device emulation is
processing it.</p>
</div>
<div class="section" id="use-of-null-co-block-drivers">
<h2>Use of null-co block drivers<a class="headerlink" href="#use-of-null-co-block-drivers" title="Permalink to this headline">¶</a></h2>
<p>The <code class="docutils literal notranslate"><span class="pre">null-co</span></code> block driver is designed for performance: its read accesses are
not initialized by default. In case this driver has to be used for security
research, it must be used with the <code class="docutils literal notranslate"><span class="pre">read-zeroes=on</span></code> option which fills read
buffers with zeroes. Security issues reported with the default
(<code class="docutils literal notranslate"><span class="pre">read-zeroes=off</span></code>) will be discarded.</p>
</div>
</div>


           </div>
           
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="tcg.html" class="btn btn-neutral float-right" title="Translator Internals" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="decodetree.html" class="btn btn-neutral" title="Decodetree Specification" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
        &copy; Copyright 2021, The QEMU Project Developers.

    </p>
  </div>
  Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.

<!-- Empty para to force a blank line after "Built with Sphinx ..." -->
<p></p>

<p>This documentation is for QEMU version 6.2.0.</p>


<p><a href="../about/license.html">QEMU and this manual are released under the
GNU General Public License, version 2.</a></p>

 


</footer>

        </div>
      </div>

    </section>

  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'../',
            VERSION:'qemu-kvm-6.2.0-53.module_el8.10.0+4110+4a319788.6',
            LANGUAGE:'None',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  false,
            SOURCELINK_SUFFIX: '.txt'
        };
    </script>
      <script type="text/javascript" src="../_static/jquery.js"></script>
      <script type="text/javascript" src="../_static/underscore.js"></script>
      <script type="text/javascript" src="../_static/doctools.js"></script>

  

  
  
    <script type="text/javascript" src="../_static/js/theme.js"></script>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script> 

</body>
</html>

Youez - 2016 - github.com/yon3zu
LinuXploit