From: Amit Shah <amit.shah@redhat.com>
To: Avi Kivity <avi@redhat.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>,
Yoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>,
linux-kernel@vger.kernel.org,
Anthony Liguori <anthony@codemonkey.ws>,
Arnd Bergmann <arnd@arndb.de>, Borislav Petkov <bp@amd64.org>,
"Franch Ch. Eigler" <fche@redhat.com>,
Frederic Weisbecker <fweisbec@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Herbert Xu <herbert@gondor.hengli.com.au>,
Ingo Molnar <mingo@redhat.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Steven Rostedt <rostedt@goodmis.org>,
virtualization@lists.linux-foundation.org, qemu-devel@nongnu.org,
yrl.pp-manager.tt@hitachi.com,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [RFC PATCH 2/6] virtio/console: Add a failback for unstealable pipe buffer
Date: Thu, 9 Aug 2012 15:44:47 +0530 [thread overview]
Message-ID: <20120809101447.GM3280@amit.redhat.com> (raw)
In-Reply-To: <502389B5.4020506@redhat.com>
On (Thu) 09 Aug 2012 [12:58:13], Avi Kivity wrote:
> On 08/09/2012 12:55 PM, Amit Shah wrote:
> > On (Thu) 09 Aug 2012 [18:24:58], Masami Hiramatsu wrote:
> >> (2012/08/09 18:03), Amit Shah wrote:
> >> > On (Tue) 24 Jul 2012 [11:37:18], Yoshihiro YUNOMAE wrote:
> >> >> From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> >> >>
> >> >> Add a failback memcpy path for unstealable pipe buffer.
> >> >> If buf->ops->steal() fails, virtio-serial tries to
> >> >> copy the page contents to an allocated page, instead
> >> >> of just failing splice().
> >> >>
> >> >> Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> >> >> Cc: Amit Shah <amit.shah@redhat.com>
> >> >> Cc: Arnd Bergmann <arnd@arndb.de>
> >> >> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >> >> ---
> >> >>
> >> >> drivers/char/virtio_console.c | 28 +++++++++++++++++++++++++---
> >> >> 1 files changed, 25 insertions(+), 3 deletions(-)
> >> >>
> >> >> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> >> >> index fe31b2f..911cb3e 100644
> >> >> --- a/drivers/char/virtio_console.c
> >> >> +++ b/drivers/char/virtio_console.c
> >> >> @@ -794,7 +794,7 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
> >> >> struct splice_desc *sd)
> >> >> {
> >> >> struct sg_list *sgl = sd->u.data;
> >> >> - unsigned int len = 0;
> >> >> + unsigned int offset, len;
> >> >>
> >> >> if (sgl->n == MAX_SPLICE_PAGES)
> >> >> return 0;
> >> >> @@ -807,9 +807,31 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
> >> >>
> >> >> len = min(buf->len, sd->len);
> >> >> sg_set_page(&(sgl->sg[sgl->n]), buf->page, len, buf->offset);
> >> >> - sgl->n++;
> >> >> - sgl->len += len;
> >> >> + } else {
> >> >> + /* Failback to copying a page */
> >> >> + struct page *page = alloc_page(GFP_KERNEL);
> >> >
> >> > I prefer zeroing out the page. If there's not enough data to be
> >> > filled in the page, the remaining data can be leaked to the host.
> >>
> >> Yeah, it is really easy to fix that.
> >> But out of curiosity, would that be really a problem?
> >> I guess that host can access any guest page if need. If that
> >> is right, is that really insecure to leak randomly allocated
> >> unused page to the host?
> >
> > I'm not sure if there is a way to really attack, but just something I
> > had thought about: the host kernel can access any guest page, that's
> > not something we can prevent.
> >
> > However, if qemu is restricted from accessing guest pages, and the
> > guest shares this page with qemu for r/w purposes via the virtio
> > channel, a qemu exploit can expose guest data to host userspace.
> >
> > I agree this is completely theoretical; can someone else with more
> > insight confirm or deny my apprehensions?
>
> qemu can read and write any guest page (for the guest it controls).
OK, thanks for confirming -- no need to change this patch, then.
Amit
WARNING: multiple messages have this Message-ID (diff)
From: Amit Shah <amit.shah@redhat.com>
To: Avi Kivity <avi@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
Arnd Bergmann <arnd@arndb.de>,
qemu-devel@nongnu.org, Frederic Weisbecker <fweisbec@gmail.com>,
Yoshihiro YUNOMAE <yoshihiro.yunomae.ez@hitachi.com>,
yrl.pp-manager.tt@hitachi.com, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@amd64.org>,
virtualization@lists.linux-foundation.org,
Herbert Xu <herbert@gondor.hengli.com.au>,
"Franch Ch. Eigler" <fche@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Steven Rostedt <rostedt@goodmis.org>,
Anthony Liguori <anthony@codemonkey.ws>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Subject: Re: [Qemu-devel] [RFC PATCH 2/6] virtio/console: Add a failback for unstealable pipe buffer
Date: Thu, 9 Aug 2012 15:44:47 +0530 [thread overview]
Message-ID: <20120809101447.GM3280@amit.redhat.com> (raw)
In-Reply-To: <502389B5.4020506@redhat.com>
On (Thu) 09 Aug 2012 [12:58:13], Avi Kivity wrote:
> On 08/09/2012 12:55 PM, Amit Shah wrote:
> > On (Thu) 09 Aug 2012 [18:24:58], Masami Hiramatsu wrote:
> >> (2012/08/09 18:03), Amit Shah wrote:
> >> > On (Tue) 24 Jul 2012 [11:37:18], Yoshihiro YUNOMAE wrote:
> >> >> From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> >> >>
> >> >> Add a failback memcpy path for unstealable pipe buffer.
> >> >> If buf->ops->steal() fails, virtio-serial tries to
> >> >> copy the page contents to an allocated page, instead
> >> >> of just failing splice().
> >> >>
> >> >> Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> >> >> Cc: Amit Shah <amit.shah@redhat.com>
> >> >> Cc: Arnd Bergmann <arnd@arndb.de>
> >> >> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >> >> ---
> >> >>
> >> >> drivers/char/virtio_console.c | 28 +++++++++++++++++++++++++---
> >> >> 1 files changed, 25 insertions(+), 3 deletions(-)
> >> >>
> >> >> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> >> >> index fe31b2f..911cb3e 100644
> >> >> --- a/drivers/char/virtio_console.c
> >> >> +++ b/drivers/char/virtio_console.c
> >> >> @@ -794,7 +794,7 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
> >> >> struct splice_desc *sd)
> >> >> {
> >> >> struct sg_list *sgl = sd->u.data;
> >> >> - unsigned int len = 0;
> >> >> + unsigned int offset, len;
> >> >>
> >> >> if (sgl->n == MAX_SPLICE_PAGES)
> >> >> return 0;
> >> >> @@ -807,9 +807,31 @@ static int pipe_to_sg(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
> >> >>
> >> >> len = min(buf->len, sd->len);
> >> >> sg_set_page(&(sgl->sg[sgl->n]), buf->page, len, buf->offset);
> >> >> - sgl->n++;
> >> >> - sgl->len += len;
> >> >> + } else {
> >> >> + /* Failback to copying a page */
> >> >> + struct page *page = alloc_page(GFP_KERNEL);
> >> >
> >> > I prefer zeroing out the page. If there's not enough data to be
> >> > filled in the page, the remaining data can be leaked to the host.
> >>
> >> Yeah, it is really easy to fix that.
> >> But out of curiosity, would that be really a problem?
> >> I guess that host can access any guest page if need. If that
> >> is right, is that really insecure to leak randomly allocated
> >> unused page to the host?
> >
> > I'm not sure if there is a way to really attack, but just something I
> > had thought about: the host kernel can access any guest page, that's
> > not something we can prevent.
> >
> > However, if qemu is restricted from accessing guest pages, and the
> > guest shares this page with qemu for r/w purposes via the virtio
> > channel, a qemu exploit can expose guest data to host userspace.
> >
> > I agree this is completely theoretical; can someone else with more
> > insight confirm or deny my apprehensions?
>
> qemu can read and write any guest page (for the guest it controls).
OK, thanks for confirming -- no need to change this patch, then.
Amit
next prev parent reply other threads:[~2012-08-09 10:15 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-24 2:36 [RFC PATCH 0/6] virtio-trace: Support virtio-trace Yoshihiro YUNOMAE
2012-07-24 2:36 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:36 ` Yoshihiro YUNOMAE
2012-07-24 2:37 ` [RFC PATCH 1/6] virtio/console: Add splice_write support Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-08-09 9:00 ` Amit Shah
2012-08-09 9:00 ` [Qemu-devel] " Amit Shah
2012-08-09 9:00 ` Amit Shah
2012-08-09 9:12 ` Masami Hiramatsu
2012-08-09 9:12 ` [Qemu-devel] " Masami Hiramatsu
2012-08-09 9:12 ` Masami Hiramatsu
2012-07-24 2:37 ` [RFC PATCH 2/6] virtio/console: Add a failback for unstealable pipe buffer Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-08-09 9:03 ` Amit Shah
2012-08-09 9:03 ` [Qemu-devel] " Amit Shah
2012-08-09 9:03 ` Amit Shah
2012-08-09 9:24 ` Borislav Petkov
2012-08-09 9:24 ` Borislav Petkov
2012-08-09 9:24 ` [Qemu-devel] " Borislav Petkov
2012-08-09 9:24 ` Masami Hiramatsu
2012-08-09 9:24 ` [Qemu-devel] " Masami Hiramatsu
2012-08-09 9:24 ` Masami Hiramatsu
2012-08-09 9:55 ` Amit Shah
2012-08-09 9:55 ` [Qemu-devel] " Amit Shah
2012-08-09 9:55 ` Amit Shah
2012-08-09 9:58 ` Avi Kivity
2012-08-09 9:58 ` [Qemu-devel] " Avi Kivity
2012-08-09 9:58 ` Avi Kivity
2012-08-09 10:14 ` Amit Shah [this message]
2012-08-09 10:14 ` [Qemu-devel] " Amit Shah
2012-08-09 10:14 ` Amit Shah
2012-08-09 12:35 ` Steven Rostedt
2012-08-09 12:35 ` [Qemu-devel] " Steven Rostedt
2012-08-09 12:35 ` Steven Rostedt
2012-07-24 2:37 ` [RFC PATCH 3/6] virtio/console: Wait until the port is ready on splice Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-07-24 2:37 ` [RFC PATCH 4/6] ftrace: Allow stealing pages from pipe buffer Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-07-30 22:12 ` Steven Rostedt
2012-07-30 22:12 ` [Qemu-devel] " Steven Rostedt
2012-07-30 22:12 ` Steven Rostedt
2012-07-24 2:37 ` [RFC PATCH 5/6] virtio/console: Allocate scatterlist according to the current pipe size Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-07-24 2:37 ` [RFC PATCH 6/6] tools: Add guest trace agent as a user tool Yoshihiro YUNOMAE
2012-07-24 2:37 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 2:37 ` Yoshihiro YUNOMAE
2012-07-24 3:27 ` [RFC PATCH 0/6] virtio-trace: Support virtio-trace Masami Hiramatsu
2012-07-24 3:27 ` [Qemu-devel] " Masami Hiramatsu
2012-07-24 3:27 ` Masami Hiramatsu
2012-07-24 10:02 ` Stefan Hajnoczi
2012-07-24 10:02 ` [Qemu-devel] " Stefan Hajnoczi
2012-07-24 10:02 ` Stefan Hajnoczi
2012-07-24 11:03 ` Masami Hiramatsu
2012-07-24 11:03 ` [Qemu-devel] " Masami Hiramatsu
2012-07-24 11:19 ` Yoshihiro YUNOMAE
2012-07-24 11:19 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-24 11:19 ` Yoshihiro YUNOMAE
2012-07-24 13:41 ` Stefan Hajnoczi
2012-07-24 13:41 ` [Qemu-devel] " Stefan Hajnoczi
2012-07-24 13:41 ` Stefan Hajnoczi
2012-07-25 9:13 ` Yoshihiro YUNOMAE
2012-07-25 9:13 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-25 9:13 ` Re: " Yoshihiro YUNOMAE
2012-07-26 10:52 ` Stefan Hajnoczi
2012-07-26 10:52 ` [Qemu-devel] " Stefan Hajnoczi
2012-07-26 10:52 ` Re: " Stefan Hajnoczi
2012-07-24 13:43 ` Stefan Hajnoczi
2012-07-24 13:43 ` [Qemu-devel] " Stefan Hajnoczi
2012-07-24 13:43 ` Stefan Hajnoczi
2012-07-24 11:03 ` Masami Hiramatsu
2012-07-24 20:26 ` [Qemu-devel] " Blue Swirl
2012-07-24 20:26 ` Blue Swirl
2012-07-25 8:15 ` Masami Hiramatsu
2012-07-25 8:15 ` Masami Hiramatsu
2012-07-25 8:15 ` Masami Hiramatsu
2012-07-27 18:58 ` Blue Swirl
2012-07-27 18:58 ` Blue Swirl
2012-07-27 18:58 ` Blue Swirl
2012-07-26 11:35 ` Amit Shah
2012-07-26 11:35 ` [Qemu-devel] " Amit Shah
2012-07-26 11:35 ` Amit Shah
2012-07-27 8:55 ` Yoshihiro YUNOMAE
2012-07-27 8:55 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-27 8:55 ` Yoshihiro YUNOMAE
2012-07-27 9:43 ` Amit Shah
2012-07-27 9:43 ` [Qemu-devel] " Amit Shah
2012-07-27 9:43 ` Amit Shah
2012-07-31 0:52 ` Yoshihiro YUNOMAE
2012-07-31 0:52 ` [Qemu-devel] " Yoshihiro YUNOMAE
2012-07-31 0:52 ` Re: " Yoshihiro YUNOMAE
2012-08-09 10:16 ` Amit Shah
2012-08-09 10:16 ` [Qemu-devel] " Amit Shah
2012-08-09 10:16 ` Amit Shah
2012-08-21 2:17 ` Rusty Russell
2012-08-21 2:17 ` [Qemu-devel] " Rusty Russell
2012-08-21 2:17 ` Rusty Russell
2012-08-21 5:09 ` Amit Shah
2012-08-21 5:09 ` [Qemu-devel] " Amit Shah
2012-08-21 5:09 ` Amit Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120809101447.GM3280@amit.redhat.com \
--to=amit.shah@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=arnd@arndb.de \
--cc=avi@redhat.com \
--cc=bp@amd64.org \
--cc=fche@redhat.com \
--cc=fweisbec@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-kernel@vger.kernel.org \
--cc=masami.hiramatsu.pt@hitachi.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rostedt@goodmis.org \
--cc=rusty@rustcorp.com.au \
--cc=virtualization@lists.linux-foundation.org \
--cc=yoshihiro.yunomae.ez@hitachi.com \
--cc=yrl.pp-manager.tt@hitachi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.