[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on
|
From: |
Jan Kiszka |
|
Subject: |
Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses |
|
Date: |
Mon, 17 Oct 2011 21:11:29 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 |
On 2011-10-17 14:50, Michael S. Tsirkin wrote:
> On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote:
>> On 2011-10-17 13:57, Michael S. Tsirkin wrote:
>>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote:
>>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote:
>>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote:
>>>>>> Only accesses to the MSI-X table must trigger a call to
>>>>>> msix_handle_mask_update or a notifier invocation.
>>>>>>
>>>>>> Signed-off-by: Jan Kiszka <address@hidden>
>>>>>
>>>>> Why would msix_mmio_write be called on an access
>>>>> outside the table?
>>>>
>>>> Because it handles both the table and the PBA.
>>>
>>> Hmm. Interesting. Is there a bug in how we handle PBA
>>> updates then? If yes I'd like a separate patch for that
>>> to apply to the stable tree.
>>
>> I first thought it was a serious bug, but it just triggers if the guest
>> write to PBA (which is very uncommon) and that actually triggers any
>> spurious out-of-bounds vector injection. Highly unlikely.
>
> Yes guests don't really use PBA ATM. But is there something
> bad a malicious guest can do? For example, what if
> msix_clr_pending gets invoked with this huge vector value?
>
> It does seem serious ...
I checked it before and I think it is harmless. The largest vector that
can be miscalculated is 255. But bit 255 in the PBA is still safe inside
our MMIO page.
Jan
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-devel] [RFC][PATCH 11/45] msi: Factor out delivery hook, (continued)
[Qemu-devel] [RFC][PATCH 13/45] hpet: Use msi_deliver, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Jan Kiszka, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Michael S. Tsirkin, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Jan Kiszka, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Michael S. Tsirkin, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Jan Kiszka, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Michael S. Tsirkin, 2011/10/17
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses,
Jan Kiszka <=
- Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses, Michael S. Tsirkin, 2011/10/17
[Qemu-devel] [RFC][PATCH 09/45] msi: Factor out msi_message_from_vector, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 26/45] qemu-kvm: Use g_realloc for irq_routes extension, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 17/45] qemu-kvm: Track MSIRoutingCache in KVM routing table, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 04/45] msi: Invoke msi/msix_reset from PCI core, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 25/45] qemu-kvm: Update MSI cache on kvm_msi_irqfd_set, Jan Kiszka, 2011/10/17
[Qemu-devel] [RFC][PATCH 20/45] qemu-kvm: msix: Only invoke msix_handle_mask_update on changes, Jan Kiszka, 2011/10/17