[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] raw: Fix image header protection
|
From: |
Kevin Wolf |
|
Subject: |
Re: [Qemu-devel] [PATCH] raw: Fix image header protection |
|
Date: |
Thu, 09 Sep 2010 15:02:24 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.0.7-1.fc12 Thunderbird/3.0.7 |
Am 09.09.2010 14:52, schrieb Anthony Liguori:
> On 09/09/2010 07:44 AM, Kevin Wolf wrote:
>>> Isn't this an unbounded, guest controlled, malloc? IOW, a guest could
>>> do a request of 4GB and on a 32-bit system crash the qemu instance.
>>>
>> If you're concerned about that, we need to ban qemu_iovec_to_buffer()
>> completely. Currently we do the same thing for every write request for
>> every format but raw.
>
> And QED ;-)
qed doesn't exist. We have something some notices from a brainstorming
thread that should become a specification some day. And yes, there's
some prototype code. That's everything we have today.
Anyway, if you declare qemu_iovec_to_buffer() broken, it doesn't really
matter if n-1 formats or n-2 formats are broken...
>> Or instead of completely removing it, we could add
>> a size limit, though I suspect that would mean violating some specs.
>>
>
> One thing I was thinking of trying was splitting off the first sector
> into a linear buffer, then allocating a new iovec and adjusting the new
> iovec to cover the new request minus the first sector.
That doesn't help any of the other use cases. Either we consider it a
problem or not. If we do, it must be fixed everywhere.
Kevin