[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Re: [PATCH 5/5] virtio-serial: Error out if guest sends une
[Qemu-devel] Re: [PATCH 5/5] virtio-serial: Error out if guest sends unexpected vq elements
Fri, 10 Dec 2010 15:17:58 +0000
KMail/1.13.5 (Linux/2.6.36-trunk-amd64; KDE/4.4.5; x86_64; ; )
> On (Fri) Dec 10 2010 [13:59:50], Paul Brook wrote:
> > > Check if the guest really sent any items in the out_vq before using
> > > them. Similarly, check if there is a buffer to send data in before
> > > writing.
> > Can this actually happen? If so why/how?
> > Why does it need a special case in this device?
> A malicious guest (ie, a guest with the virtio_console module suitably
> modified) could send in buffers with the 'input' bit set instead of
> output as expected or vice-versa.
So what? Who cares if they get it wrong?
It's entirely unclear whether this is actually an error. If a request has zero
size then we just transfer zero bytes, exactly as requested.
Even if you accept this should be a diagnosable error, I suspect your patch is
still insufficient. I don't see any code to check that input queue requests
have zero output segments, nor do I see anything to handle zero-length
> > If this is guest triggerable then calling abort() is wrong.
> It's either a guest bug or a malicious guest. What action is
Killing the whole VM in response to a malformed request to a device is clearly
a bug in that device. You should report an error to the guest in the normal
manner. IIRC virtio lacks any consistent error reporting mechanisms, and the
usual response when asked to do something impossible is to reset the device.
[Qemu-devel] [PATCH 5/5] virtio-serial: Error out if guest sends unexpected vq elements, Amit Shah, 2010/12/10
- [Qemu-devel] [PATCH 2/5] virtio-console: Remove unnecessary braces, (continued)