|
From: | Anthony Liguori |
Subject: | Re: [Qemu-devel] [PATCH] raw: Fix image header protection |
Date: | Thu, 09 Sep 2010 07:52:17 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100713 Lightning/1.0b1 Thunderbird/3.0.6 |
On 09/09/2010 07:44 AM, Kevin Wolf wrote:
Isn't this an unbounded, guest controlled, malloc? IOW, a guest could do a request of 4GB and on a 32-bit system crash the qemu instance.If you're concerned about that, we need to ban qemu_iovec_to_buffer() completely. Currently we do the same thing for every write request for every format but raw.
And QED ;-)
Or instead of completely removing it, we could add a size limit, though I suspect that would mean violating some specs.
One thing I was thinking of trying was splitting off the first sector into a linear buffer, then allocating a new iovec and adjusting the new iovec to cover the new request minus the first sector.
If I was a guest though and wanted to crash qemu, I would just mess up the virtio ring a bit so that qemu would exit() voluntarily. ;-)
Yeah, we're terrible at this but we should try to avoid making things worse. Particularly in a code path (like raw images) where we don't have this problem today.
Regards, Anthony Liguori
Kevin
[Prev in Thread] | Current Thread | [Next in Thread] |