From: Alex Williamson <alex.williamson@redhat.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Avi Kivity <avi@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>, kvm <kvm@vger.kernel.org>,
"vedun@ispras.ru" <vedun@ispras.ru>
Subject: Re: [PATCH] KVM: Fix PCI header check on device assignment
Date: Wed, 06 Jun 2012 06:50:13 -0600 [thread overview]
Message-ID: <1338987013.23475.276.camel@bling.home> (raw)
In-Reply-To: <4FCF3C71.2040601@siemens.com>
On Wed, 2012-06-06 at 13:18 +0200, Jan Kiszka wrote:
> On 2012-06-06 13:12, Avi Kivity wrote:
> > On 06/05/2012 08:13 PM, Alex Williamson wrote:
> >> On Tue, 2012-06-05 at 10:37 +0200, Jan Kiszka wrote:
> >>> The masking was wrong (must have been 0x7f), and there is no need to
> >>> re-read the value as pci_setup_device already does this for us.
> >>
> >> The intent was to mask off the multifunction bit from header_type, but
> >> the implementation is clearly wrong. hdr_type does both. Thanks
> >>
> >>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43339
> >>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> >>
> >> Acked-by: Alex Williamson <alex.williamson@redhat.com>
> >
> > From your comment in the bugzilla entry I conclude that there is no need
> > to get this into 3.5. is this correct?
>
> As I asses this (and I think Alex meant the same), this is not a
> critical fix or even a security issue, just a (so far broken) safety
> belt for users that are privileged anyway. Also, there were no valid
> devices accidentally excluded due to the bug.
Right. If a bridge does not have BARs (apparently what I tested on), it
will get rejected from assignment because we assume devices without
resources are special. If it does have BARs, some privileged entity
needs to grant permissions to the resources, just like any other device.
So while the existing code doesn't close the misconfiguration window we
were trying for, it doesn't expose any kind of security issue. Thanks,
Alex
next prev parent reply other threads:[~2012-06-06 12:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-05 8:37 [PATCH] KVM: Fix PCI header check on device assignment Jan Kiszka
2012-06-05 17:13 ` Alex Williamson
2012-06-06 11:12 ` Avi Kivity
2012-06-06 11:18 ` Jan Kiszka
2012-06-06 12:50 ` Alex Williamson [this message]
2012-06-14 19:48 ` Alex Williamson
2012-06-15 13:44 ` Marcelo Tosatti
2012-06-16 2:22 ` Marcelo Tosatti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1338987013.23475.276.camel@bling.home \
--to=alex.williamson@redhat.com \
--cc=avi@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=vedun@ispras.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox