On Wed, Jul 20, 2016 at 09:21:08AM +0100, Stefan Hajnoczi wrote:
> On Wed, Jul 20, 2016 at 12:48:39AM +0900, Namhyung Kim wrote:
> > Hello,
> >
> > On Mon, Jul 18, 2016 at 11:03:53AM +0100, Stefan Hajnoczi wrote:
> > > On Mon, Jul 18, 2016 at 01:37:40PM +0900, Namhyung Kim wrote:
> > > > +static void virtio_pstore_handle_io(VirtIODevice *vdev, VirtQueue *vq)
> > > > +{
> > > > + VirtIOPstore *s = VIRTIO_PSTORE(vdev);
> > > > + VirtQueueElement *elem;
> > > > + struct virtio_pstore_hdr *hdr;
> > > > + ssize_t len;
> > > > +
> > > > + for (;;) {
> > > > + elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
> > > > + if (!elem) {
> > > > + return;
> > > > + }
> > > > +
> > > > + hdr = elem->out_sg[0].iov_base;
> > > > + if (elem->out_sg[0].iov_len != sizeof(*hdr)) {
> > > > + error_report("invalid header size: %u",
> > > > + (unsigned)elem->out_sg[0].iov_len);
> > > > + exit(1);
> > > > + }
> > >
> > > Please use iov_to_buf() instead of directly accessing out_sg[]. Virtio
> > > devices are not supposed to assume a particular iovec layout. In other
> > > words, virtio_pstore_hdr could be split across multiple out_sg[] iovecs.
> > >
> > > You must also copy in data (similar to Linux syscall implementations) to
> > > prevent the guest from modifying data while the command is processed.
> > > Such race conditions could lead to security bugs.
> >
> > By accessing elem->out_sg[0].iov_base directly, I abused it as an
> > in-and-out buffer. But it seems not allowed by the virtio spec, do I
> > have to use separate buffers for request and response?
>
> Yes, a virtqueue element has (host read-only) out buffers followed by
> (host write-only) in buffers.
Thanks for clarification. I'll split them.
Thanks,
Namhyung
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
