Re: [Qemu-devel] [PATCH 0/3] virtio: Eliminate "exit(1)" upon invalid request in virtio-blk and virtio-scsi

[Kevin Wolf]

Am 25.04.2014 um 08:29 hat Markus Armbruster geschrieben:
> "Michael S. Tsirkin" <address@hidden> writes:
> 
> > On Thu, Apr 24, 2014 at 12:43:56PM +0200, Kevin Wolf wrote:
> >> Am 24.04.2014 um 09:55 hat Michael S. Tsirkin geschrieben:
> >> > On Thu, Apr 24, 2014 at 09:15:25AM +0200, Markus Armbruster wrote:
> >> > > If I remember correctly, the DOS involved passthrough of a virtual
> >> > > device to a nested guest or something like that.
> >> > >  Guest killing itself
> >> > > is unexciting, nested guest killing its host qualifies as DOS.  I guess
> >> > > our current answer to that is "don't do that then".
> >> > 
> >> > Yes.  virtio doesn't support that for a variety of other reasons,
> >> > one of which is that it doesn't go through an mmu.
> >> > Now, before someone sends a trivial patch converting it to
> >> > mmu aware calls, that's not yet possible without teaching vhost
> >> > and dataplane about MMU.
> >> 
> >> Nested virt is really just one example for a userspace virtio driver.
> >> Userspace shouldn't be able to kill the whole guest.
> >> 
> >> Kevin
> >
> > Without an MMIO this is fundamentally unavoidable.

s/MMIO/IOMMU/, I guess

> Really?  Why is it fundamentally impossible to put the device into an
> error state when we detect invalid device use by the guest?  Honest
> question; please excuse my ignorance here...

I think what Michael means is that without an IOMMU, a buggy or
malicious userspace guest driver (which could be a nested VM, in fact)
can always kill the guest kernel by DMAing to the right places.

This is true, without an IOMMU the protection won't be perfect. But
fixing what can easily be fixed is still an improvement and protects
at least against some forms of buggy drivers. It doesn't immediately
achieve the goal "userspace can't kill the guest", but it does bring
us closer to it.

Kevin