|
From: | Anthony Liguori |
Subject: | [Qemu-devel] Re: [PATCHv2 10/12] tap: add vhost/vhostfd options |
Date: | Sun, 28 Feb 2010 16:38:20 -0600 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0pre Thunderbird/3.0 |
On 02/28/2010 03:01 PM, Michael S. Tsirkin wrote:
On Sun, Feb 28, 2010 at 02:57:56PM -0600, Anthony Liguori wrote:On 02/28/2010 11:19 AM, Michael S. Tsirkin wrote:Both have security implications so I think it's important that they be addressed. Otherwise, I'm pretty happy with how things are.Care suggesting some solutions?The obvious thing to do would be to use the memory notifier in vhost to keep track of whenever something remaps the ring's memory region and if that happens, issue an ioctl to vhost to change the location of the ring.It would be easy to do, but what I wondered about, is what happens in the guest meanwhile. Which ring address has the correct descriptors: the old one? The new one? Both? This question leads me to the belief that well-behaved guest will never encounter this.
This is not a question of well-behaved guests. It's a question about what our behaviour is in the face of a malicious guest. While I agree with you that that behaviour can be undefined, writing to an invalid ram location I believe could lead to guest privilege escalation.
I think the two solutions we could implement would be to always use the latest mapping (which is what all code does today) or to actively prevent ram from being remapped (which is my proposal below).
Regards, Anthony Liguori
[Prev in Thread] | Current Thread | [Next in Thread] |