On Thu, May 07, 2009 at 05:16:35PM +0300, Avi Kivity wrote:
> mtosatti@xxxxxxxxxx wrote:
>> Disallow the deletion of memory slots (and aliases, for x86 case), if a
>> vcpu contains a cr3 that points to such slot/alias.
>>
>
> That allows the guest to induce failures in the host.
I don't understand what you mean. What is the problem with returning
errors in the ioctl handlers?
The guest can cause an overflow in qemu, overwrite the parameters to
KVM_GET_MSR_INDEX_LIST in an attempt to read kernel data, and get
-E2BIG. Or pick your combination.
> Better to triple-fault the guest instead.
Sure can additionally triple fault it, but the kernel might attempt to
access the non-existant slot which cr3 points to before TRIPLE_FAULT is
processed. So you have to avoid that possibility in the first place,
thats why the patch modifies the ioctls to fail.
>> +int kvm_arch_can_free_memslot(struct kvm *kvm, struct kvm_memory_slot
>> *slot)
>> +{
>> + return 1;
>> +}
>> +
>>
>
> In general, instead of stubs in every arch, have x86 say
> KVM_HAVE_ARCH_CAN_FREE_MEMSLOT and define the stub in generic code when
> that define is not present.
Will fix that.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
