[Qemu-devel] Re: [PATCHv2 10/12] tap: add vhost/vhostfd options

[Anthony Liguori]

On 02/28/2010 03:01 PM, Michael S. Tsirkin wrote:
> On Sun, Feb 28, 2010 at 02:57:56PM -0600, Anthony Liguori wrote:
>    
> > On 02/28/2010 11:19 AM, Michael S. Tsirkin wrote:
> >      
> > > > Both have  security implications so I think it's important that they
> > > > be addressed.   Otherwise, I'm pretty happy with how things are.
> > > >
> > > >          
> > > Care suggesting some solutions?
> > >
> > >        
> > The obvious thing to do would be to use the memory notifier in vhost to
> > keep track of whenever something remaps the ring's memory region and if
> > that happens, issue an ioctl to vhost to change the location of the
> > ring.
> >      
> It would be easy to do, but what I wondered about, is what happens in the
> guest meanwhile. Which ring address has the correct descriptors: the old
> one?  The new one? Both?  This question leads me to the belief that well-behaved
> guest will never encounter this.
>    

This is not a question of well-behaved guests.  It's a question about 
what our behaviour is in the face of a malicious guest.  While I agree 
with you that that behaviour can be undefined, writing to an invalid ram 
location I believe could lead to guest privilege escalation.

I think the two solutions we could implement would be to always use the 
latest mapping (which is what all code does today) or to actively 
prevent ram from being remapped (which is my proposal below).

Regards,

Anthony Liguori