On Mon, Aug 31, 2015 at 02:51:50PM +0800, Xiao Guangrong wrote:
>
>
> On 08/28/2015 08:01 PM, Stefan Hajnoczi wrote:
> >On Wed, Aug 26, 2015 at 06:46:35PM +0800, Xiao Guangrong wrote:
> >>On 08/26/2015 12:23 AM, Stefan Hajnoczi wrote:
> >>>On Fri, Aug 14, 2015 at 10:52:07PM +0800, Xiao Guangrong wrote:
> >>>> static void dsm_write(void *opaque, hwaddr addr,
> >>>> uint64_t val, unsigned size)
> >>>> {
> >>>>+ struct MemoryRegion *dsm_ram_mr = opaque;
> >>>>+ struct dsm_buffer *dsm;
> >>>>+ struct dsm_out *out;
> >>>>+ void *buf;
> >>>>+
> >>>> assert(val == NOTIFY_VALUE);
> >>>
> >>>The guest should not be able to cause an abort(3). If val !=
> >>>NOTIFY_VALUE we can do nvdebug() and then return.
> >>
> >>The ACPI code and emulation code both are from qemu, if that happens,
> >>it's really a bug, aborting the VM is better than throwing a debug
> >>message under this case to avoid potential data corruption.
> >
> >abort(3) is dangerous because it can create a core dump. If a malicious
> >guest triggers this repeatedly it could consume a lot of disk space and
> >I/O or CPU while performing the core dumps.
> >
> >We cannot trust anything inside the guest, even if the guest code comes
> >from QEMU because a malicious guest can still read/write to the same
> >hardware registers.
> >
>
> Completely agree with you. :)
>
> How about use exit{1} instead of abort() to kill the VM?
Most devices on a physical machine do not power off or reset the machine
in case of error.
I think it's good to follow that model and avoid killing the VM.
Otherwise nested virtualization or userspace drivers can take down the
whole VM.
Stefan
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
