On Mon, Oct 17, 2011 at 09:11:29PM +0200, Jan Kiszka wrote: > On 2011-10-17 14:50, Michael S. Tsirkin wrote: > > On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote: > >> On 2011-10-17 13:57, Michael S. Tsirkin wrote: > >>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote: > >>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote: > >>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote: > >>>>>> Only accesses to the MSI-X table must trigger a call to > >>>>>> msix_handle_mask_update or a notifier invocation. > >>>>>> > >>>>>> Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx> > >>>>> > >>>>> Why would msix_mmio_write be called on an access > >>>>> outside the table? > >>>> > >>>> Because it handles both the table and the PBA. > >>> > >>> Hmm. Interesting. Is there a bug in how we handle PBA > >>> updates then? If yes I'd like a separate patch for that > >>> to apply to the stable tree. > >> > >> I first thought it was a serious bug, but it just triggers if the guest > >> write to PBA (which is very uncommon) and that actually triggers any > >> spurious out-of-bounds vector injection. Highly unlikely. > > > > Yes guests don't really use PBA ATM. But is there something > > bad a malicious guest can do? For example, what if > > msix_clr_pending gets invoked with this huge vector value? > > > > It does seem serious ... > > I checked it before and I think it is harmless. The largest vector that > can be miscalculated is 255. But bit 255 in the PBA is still safe inside > our MMIO page. > > Jan > you are right. we got lucky. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
