From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: Re: [PATCH V2] device-assignment pci: correct pci config size default for cap version 2 endpoints Date: Sun, 24 Jul 2011 11:36:37 +0300 Message-ID: <20110724083637.GE24483@redhat.com> References: <20110721163733.661.22067.stgit@dddsys0.bos.redhat.com> <1311267773.26867.7.camel@ul30vt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Donald Dutile , kvm@vger.kernel.org To: Alex Williamson Return-path: Received: from mx1.redhat.com ([209.132.183.28]:15016 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751984Ab1GXIgJ (ORCPT ); Sun, 24 Jul 2011 04:36:09 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p6O8a8we010417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 24 Jul 2011 04:36:08 -0400 Content-Disposition: inline In-Reply-To: <1311267773.26867.7.camel@ul30vt> Sender: kvm-owner@vger.kernel.org List-ID: On Thu, Jul 21, 2011 at 11:02:53AM -0600, Alex Williamson wrote: > This is crazy, why would we only test this for PCI_CAP_ID_EXP? If the > test is going to go in device-assignment, we need to wrap > pci_add_capability and do it for all callers. However, maybe we can get > MST to take it in pci_add_capability() if we make the test more > complete... something like: > > if ((pos < 256 && size > 256 - pos) || > (pci_config_size() > 256 && pos > 256 && > size > pci_config_size() - pos)) { > ... badness > > Thanks, > > Alex We expect device assignment to be able to corrupt guest memory but not qemu memory. So we must validate whatever we get from the device, and I think this validation belongs in device-assignment.c: IOW I think input should be validated where it's input, while we still know it's untrusted, instead of relying on core to validate parameters. Makes sense? -- MST