On Thu, May 07, 2009 at 05:16:35PM +0300, Avi Kivity wrote: > mtosatti@xxxxxxxxxx wrote: >> Disallow the deletion of memory slots (and aliases, for x86 case), if a >> vcpu contains a cr3 that points to such slot/alias. >> > > That allows the guest to induce failures in the host. I don't understand what you mean. What is the problem with returning errors in the ioctl handlers? The guest can cause an overflow in qemu, overwrite the parameters to KVM_GET_MSR_INDEX_LIST in an attempt to read kernel data, and get -E2BIG. Or pick your combination. > Better to triple-fault the guest instead. Sure can additionally triple fault it, but the kernel might attempt to access the non-existant slot which cr3 points to before TRIPLE_FAULT is processed. So you have to avoid that possibility in the first place, thats why the patch modifies the ioctls to fail. >> +int kvm_arch_can_free_memslot(struct kvm *kvm, struct kvm_memory_slot >> *slot) >> +{ >> + return 1; >> +} >> + >> > > In general, instead of stubs in every arch, have x86 say > KVM_HAVE_ARCH_CAN_FREE_MEMSLOT and define the stub in generic code when > that define is not present. Will fix that. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html