From: Sasha Levin <sasha.levin@oracle.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Sasha Levin <levinsasha928@gmail.com>,
Pekka Enberg <penberg@kernel.org>,
Asias He <asias.hejun@gmail.com>,
penberg@cs.helsinki.fi, Cyrill Gorcunov <gorcunov@gmail.com>,
Will Deacon <will.deacon@arm.com>,
andre.przywara@arm.com, matt@ozlabs.org, laijs@cn.fujitsu.com,
Michael Ellerman <michael@ellerman.id.au>,
Prasad Joshi <prasadjoshi124@gmail.com>,
marc.zyngier@arm.com,
"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
mingo@elte.hu, gorcunov@openvz.org,
andreas.herrmann@caviumnetworks.com, kvm@vger.kernel.org,
Kostya Serebryany <kcc@google.com>,
Evgenii Stepanov <eugenis@google.com>,
Alexey Samsonov <samsonov@google.com>,
Alexander Potapenko <glider@google.com>
Subject: Re: sanitizing kvmtool
Date: Mon, 19 Oct 2015 11:08:15 -0400 [thread overview]
Message-ID: <5625075F.4010508@oracle.com> (raw)
In-Reply-To: <CACT4Y+b_mF+CcY3VAPPH6w+YEkd3UaKXfjK6b5CHYgDy2TGnCg@mail.gmail.com>
On 10/19/2015 10:47 AM, Dmitry Vyukov wrote:
>> Right, the memory areas that are accessed both by the hypervisor and the guest
>> > should be treated as untrusted input, but the hypervisor is supposed to validate
>> > the input carefully before using it - so I'm not sure how data races would
>> > introduce anything new that we didn't catch during validation.
>
> One possibility would be: if result of a racy read is passed to guest,
> that can leak arbitrary host data into guest. Does not sound good.
> Also, without usage of proper atomic operations, it is basically
> impossible to verify untrusted data, as it can be changing under your
> feet. And storing data into a local variable does not prevent the data
> from changing.
What's missing here is that the guest doesn't directly read/write the memory:
every time it accesses a memory that is shared with the host it will trigger
an exit, which will stop the vcpu thread that made the access and kernel side
kvm will pass the hypervisor the value the guest wrote (or the memory address
it attempted to read). The value/address can't change under us in that scenario.
> There are also some data races with free(), it does not looks good at all.
I definitely agree there are quite a few real bugs there :)
Thanks,
Sasha
next prev parent reply other threads:[~2015-10-19 15:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACT4Y+ZX71GiGzDrk4hSYVrWdoZ1eoPBdUYR_z4jY-mgOCZCuA@mail.gmail.com>
2015-10-15 10:23 ` sanitizing kvmtool Dmitry Vyukov
2015-10-17 14:16 ` Sasha Levin
2015-10-19 8:37 ` Dmitry Vyukov
2015-10-19 14:19 ` Sasha Levin
2015-10-19 14:24 ` Dmitry Vyukov
2015-10-19 14:35 ` Sasha Levin
2015-10-19 14:47 ` Dmitry Vyukov
2015-10-19 15:08 ` Sasha Levin [this message]
2015-10-19 15:15 ` Dmitry Vyukov
2015-10-21 17:07 ` Sasha Levin
2015-10-25 9:13 ` Dmitry Vyukov
2015-10-25 15:19 ` Paolo Bonzini
2015-10-25 19:06 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5625075F.4010508@oracle.com \
--to=sasha.levin@oracle.com \
--cc=andre.przywara@arm.com \
--cc=andreas.herrmann@caviumnetworks.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=asias.hejun@gmail.com \
--cc=dvyukov@google.com \
--cc=eugenis@google.com \
--cc=glider@google.com \
--cc=gorcunov@gmail.com \
--cc=gorcunov@openvz.org \
--cc=kcc@google.com \
--cc=kvm@vger.kernel.org \
--cc=laijs@cn.fujitsu.com \
--cc=levinsasha928@gmail.com \
--cc=marc.zyngier@arm.com \
--cc=matt@ozlabs.org \
--cc=michael@ellerman.id.au \
--cc=mingo@elte.hu \
--cc=penberg@cs.helsinki.fi \
--cc=penberg@kernel.org \
--cc=prasadjoshi124@gmail.com \
--cc=samsonov@google.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).