From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: Re: [RFC][PATCH 06/45] msix: Prevent bogus mask updates on MMIO accesses Date: Mon, 17 Oct 2011 21:43:31 +0200 Message-ID: <20111017194330.GA10756@redhat.com> References: <57386830befff359aa6eac1610816eb9c853a05d.1318843693.git.jan.kiszka@siemens.com> <20111017111045.GB4537@redhat.com> <4E9C1042.4040007@siemens.com> <20111017115721.GF4537@redhat.com> <4E9C1A6E.1010404@siemens.com> <20111017125031.GJ4537@redhat.com> <4E9C7DE1.3030706@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Avi Kivity , Marcelo Tosatti , "kvm@vger.kernel.org" , Alex Williamson , "qemu-devel@nongnu.org" To: Jan Kiszka Return-path: Received: from mx1.redhat.com ([209.132.183.28]:41404 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753675Ab1JQTm2 (ORCPT ); Mon, 17 Oct 2011 15:42:28 -0400 Content-Disposition: inline In-Reply-To: <4E9C7DE1.3030706@web.de> Sender: kvm-owner@vger.kernel.org List-ID: On Mon, Oct 17, 2011 at 09:11:29PM +0200, Jan Kiszka wrote: > On 2011-10-17 14:50, Michael S. Tsirkin wrote: > > On Mon, Oct 17, 2011 at 02:07:10PM +0200, Jan Kiszka wrote: > >> On 2011-10-17 13:57, Michael S. Tsirkin wrote: > >>> On Mon, Oct 17, 2011 at 01:23:46PM +0200, Jan Kiszka wrote: > >>>> On 2011-10-17 13:10, Michael S. Tsirkin wrote: > >>>>> On Mon, Oct 17, 2011 at 11:27:40AM +0200, Jan Kiszka wrote: > >>>>>> Only accesses to the MSI-X table must trigger a call to > >>>>>> msix_handle_mask_update or a notifier invocation. > >>>>>> > >>>>>> Signed-off-by: Jan Kiszka > >>>>> > >>>>> Why would msix_mmio_write be called on an access > >>>>> outside the table? > >>>> > >>>> Because it handles both the table and the PBA. > >>> > >>> Hmm. Interesting. Is there a bug in how we handle PBA > >>> updates then? If yes I'd like a separate patch for that > >>> to apply to the stable tree. > >> > >> I first thought it was a serious bug, but it just triggers if the guest > >> write to PBA (which is very uncommon) and that actually triggers any > >> spurious out-of-bounds vector injection. Highly unlikely. > > > > Yes guests don't really use PBA ATM. But is there something > > bad a malicious guest can do? For example, what if > > msix_clr_pending gets invoked with this huge vector value? > > > > It does seem serious ... > > I checked it before and I think it is harmless. The largest vector that > can be miscalculated is 255. But bit 255 in the PBA is still safe inside > our MMIO page. > > Jan > you are right. we got lucky.