From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Kiszka Subject: Re: [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses Date: Mon, 17 Oct 2011 21:11:29 +0200 Message-ID: <4E9C7DE1.3030706@web.de> References: <57386830befff359aa6eac1610816eb9c853a05d.1318843693.git.jan.kiszka@siemens.com> <20111017111045.GB4537@redhat.com> <4E9C1042.4040007@siemens.com> <20111017115721.GF4537@redhat.com> <4E9C1A6E.1010404@siemens.com> <20111017125031.GJ4537@redhat.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig726AECBE1304DC302AC1CF3E" Cc: Alex Williamson , Marcelo Tosatti , Avi Kivity , "kvm@vger.kernel.org" , "qemu-devel@nongnu.org" To: "Michael S. Tsirkin" Return-path: In-Reply-To: <20111017125031.GJ4537@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+gceq-qemu-devel=gmane.org@nongnu.org Sender: qemu-devel-bounces+gceq-qemu-devel=gmane.org@nongnu.org List-Id: kvm.vger.kernel.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig726AECBE1304DC302AC1CF3E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2011-10-17 14:50, Michael S. Tsirkin wrote: > On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote: >> On 2011-10-17 13:57, Michael S. Tsirkin wrote: >>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote: >>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote: >>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote: >>>>>> Only accesses to the MSI-X table must trigger a call to >>>>>> msix_handle_mask_update or a notifier invocation. >>>>>> >>>>>> Signed-off-by: Jan Kiszka >>>>> >>>>> Why would msix_mmio_write be called on an access >>>>> outside the table? >>>> >>>> Because it handles both the table and the PBA. >>> >>> Hmm. Interesting. Is there a bug in how we handle PBA >>> updates then? If yes I'd like a separate patch for that >>> to apply to the stable tree. >> >> I first thought it was a serious bug, but it just triggers if the gues= t >> write to PBA (which is very uncommon) and that actually triggers any >> spurious out-of-bounds vector injection. Highly unlikely. >=20 > Yes guests don't really use PBA ATM. But is there something > bad a malicious guest can do? For example, what if > msix_clr_pending gets invoked with this huge vector value? >=20 > It does seem serious ... I checked it before and I think it is harmless. The largest vector that can be miscalculated is 255. But bit 255 in the PBA is still safe inside our MMIO page. Jan --------------enig726AECBE1304DC302AC1CF3E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6cfeEACgkQitSsb3rl5xQ41QCfR4C3DJAQP9wmzChjmqRbEIIF bs4AoLxE3nMfFluiSv8LgOqiwqYLb0HO =cuwc -----END PGP SIGNATURE----- --------------enig726AECBE1304DC302AC1CF3E-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:36742) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RFxev-0006Jx-T8 for qemu-devel@nongnu.org; Mon, 17 Oct 2011 20:35:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RFxet-0003JL-KQ for qemu-devel@nongnu.org; Mon, 17 Oct 2011 20:35:57 -0400 Received: from fmmailgate03.web.de ([217.72.192.234]:47988) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RFxet-0003Hh-2m for qemu-devel@nongnu.org; Mon, 17 Oct 2011 20:35:55 -0400 Received: from moweb001.kundenserver.de (moweb001.kundenserver.de [172.19.20.114]) by fmmailgate03.web.de (Postfix) with ESMTP id 8F1F41A43A87C for ; Mon, 17 Oct 2011 21:24:02 +0200 (CEST) Message-ID: <4E9C7DE1.3030706@web.de> Date: Mon, 17 Oct 2011 21:11:29 +0200 From: Jan Kiszka MIME-Version: 1.0 References: <57386830befff359aa6eac1610816eb9c853a05d.1318843693.git.jan.kiszka@siemens.com> <20111017111045.GB4537@redhat.com> <4E9C1042.4040007@siemens.com> <20111017115721.GF4537@redhat.com> <4E9C1A6E.1010404@siemens.com> <20111017125031.GJ4537@redhat.com> In-Reply-To: <20111017125031.GJ4537@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig726AECBE1304DC302AC1CF3E" Subject: Re: [Qemu-devel] [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Michael S. Tsirkin" Cc: Alex Williamson , Marcelo Tosatti , Avi Kivity , "kvm@vger.kernel.org" , "qemu-devel@nongnu.org" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig726AECBE1304DC302AC1CF3E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2011-10-17 14:50, Michael S. Tsirkin wrote: > On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote: >> On 2011-10-17 13:57, Michael S. Tsirkin wrote: >>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote: >>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote: >>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote: >>>>>> Only accesses to the MSI-X table must trigger a call to >>>>>> msix_handle_mask_update or a notifier invocation. >>>>>> >>>>>> Signed-off-by: Jan Kiszka >>>>> >>>>> Why would msix_mmio_write be called on an access >>>>> outside the table? >>>> >>>> Because it handles both the table and the PBA. >>> >>> Hmm. Interesting. Is there a bug in how we handle PBA >>> updates then? If yes I'd like a separate patch for that >>> to apply to the stable tree. >> >> I first thought it was a serious bug, but it just triggers if the gues= t >> write to PBA (which is very uncommon) and that actually triggers any >> spurious out-of-bounds vector injection. Highly unlikely. >=20 > Yes guests don't really use PBA ATM. But is there something > bad a malicious guest can do? For example, what if > msix_clr_pending gets invoked with this huge vector value? >=20 > It does seem serious ... I checked it before and I think it is harmless. The largest vector that can be miscalculated is 255. But bit 255 in the PBA is still safe inside our MMIO page. Jan --------------enig726AECBE1304DC302AC1CF3E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6cfeEACgkQitSsb3rl5xQ41QCfR4C3DJAQP9wmzChjmqRbEIIF bs4AoLxE3nMfFluiSv8LgOqiwqYLb0HO =cuwc -----END PGP SIGNATURE----- --------------enig726AECBE1304DC302AC1CF3E--