On 15/11/2017 13:51, Daniel P. Berrange wrote: > If you're concerned that someone is tampering with QEMU state > in transit during migration, then you're going to end up playing > whack-a-mole across the entire QEMU codebase IMHO. The answer > to the problem of tampering is to have encryption of the > migration data stream between both QEMU's. Thus QEMU on the > target merely has to trust QEMU on the source. If QEMU on the > source is itself compromised you've already lost and migration > won't make life any worse. >
This is not entirely true. A lot of such cases were fixed in the past, especially when they could cause out-of-bounds access. Someone could provide a bad migration stream (e.g. as a fake bug report!), so migration data should not be considered trusted. However, PJP's patch breaks migration by changing a 4-byte field to 1-byte. The correct fix is to range-check the fields in ps2_common_post_load. Thanks, Paolo