[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Re: [PATCHv2 10/12] tap: add vhost/vhostfd options

From: Anthony Liguori
Subject: [Qemu-devel] Re: [PATCHv2 10/12] tap: add vhost/vhostfd options
Date: Sun, 28 Feb 2010 16:38:20 -0600
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0pre Thunderbird/3.0

On 02/28/2010 03:01 PM, Michael S. Tsirkin wrote:
On Sun, Feb 28, 2010 at 02:57:56PM -0600, Anthony Liguori wrote:
On 02/28/2010 11:19 AM, Michael S. Tsirkin wrote:
Both have  security implications so I think it's important that they
be addressed.   Otherwise, I'm pretty happy with how things are.

Care suggesting some solutions?

The obvious thing to do would be to use the memory notifier in vhost to
keep track of whenever something remaps the ring's memory region and if
that happens, issue an ioctl to vhost to change the location of the
It would be easy to do, but what I wondered about, is what happens in the
guest meanwhile. Which ring address has the correct descriptors: the old
one?  The new one? Both?  This question leads me to the belief that well-behaved
guest will never encounter this.

This is not a question of well-behaved guests. It's a question about what our behaviour is in the face of a malicious guest. While I agree with you that that behaviour can be undefined, writing to an invalid ram location I believe could lead to guest privilege escalation.

I think the two solutions we could implement would be to always use the latest mapping (which is what all code does today) or to actively prevent ram from being remapped (which is my proposal below).


Anthony Liguori

reply via email to

[Prev in Thread] Current Thread [Next in Thread]